Tina Li

Cybersecurity in an Unsafe Market

“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” – Robert S. Mueller, III, Director, Federal Bureau of Investigation.

With the rising use of electronically stored data, including increasing reliance on cloud storage, there has been a need for increased cybersecurity. Regarding data breach, companies face a confluence of legal issues including discrepancies in statutes. These are the basics business owners need to keep in mind:

 What is a Data Breach?

Attacks on security come in various forms ranging from nuisance (spam, botnets) to intrusive (data theft, theft of intellectual property or monetizable data) and in extreme cases can be disruptive or destructive (denial of service, defamation and defacement, deleted data).

There were 783 data breaches in 2014 according to the Identity Theft Resource Centre as reported by the Economist. The average cost to U.S. companies following a data breach in 2014 was $6.5 million. Costs include: reputation damage, loss of customers, forensic investigation and remediation, credit monitoring for victims, lost revenue, fines and costs for added security, intellectual property theft, litigation expenses, and more. In Texas, the penalty can be between $2,000-$50,000 per violation. The average cost of legal fees is $575,000, not including settlement costs. Furthermore, companies can face nonmonetary consequences if sued for data breach. In the case of FTC v. Wyndham Worldwide Corporation, Wyndham recently settled with FTC and agreed to 20 years of monitoring. “The consequences of an intrusion are more than just money sometimes,” notes Michael Chu* of the U.S. Department of Justice. “It’s one thing to lose money, but it’s another thing to have the reputation or the goodwill that your company has built up over the years to be eroded away,” says Chu.

The FTC has brought over 50 cases against companies engaged in unfair or deceptive practices that have put consumer data at unreasonable risk since 2002. Since there is no comprehensive federal code, the FTC uses a case-by-case approach which makes it difficult for companies to predict what will trigger agency action. However, there are basic steps you can take to make sure you are taking reasonable steps to protect your company’s data.

How to prepare for a breach

The Economist estimates that the average time between an attacker breaching a network and its owner noticing the intrusion is 205 days. Therefore a company protocol to enable swift detection and reaction is key.

Periodically review an incident response plan:

Make sure the plan is clearly laid out and kept up to date with your company’s current information systems. In response to Obama’s Executive Order in February of 2013, the National Institute of Standards and Technology released the Cyber Security Framework for Critical Infrastructure Organizations. Nicole Perry, an attorney who has handled cybersecurity cases at Jones Day, recommends this document as a starting point for forming a plan. “It’s a framework that provides guidelines for how companies can come up with security policies and incident response plans,” Perry explains.

Identify your team:

A good response team should include management, IT & security, legal experts, compliance, public relations, customer care, investor relations, human resources.

Conduct tabletop exercises:

According to Christopher Koa, an attorney who leads  cybersecurity, data breach and technology transactions matters at Dorsey & Whitney, the scenario of a data breach should be re-enacted in a time of peace. Ask your team what the worst case scenario could be and practice the response strategy before a breach occurs. Decide the order of who to notify first to maintain calm in the event of a breach.

Review insurance policies:

Perry also recommends cybersecurity insurance as a means to protect your company. First party insurance may allow for reimbursement of direct costs, while third party insurance may allow for reimbursement of legal costs and regulatory fines. However, keep in mind reimbursement is not a guarantee.

  • What Should I Pay My Employees?

    October 21, 2014

    If your small business is about to begin to hire its first employees, you may be puzzled about how much to pay them. If you offer too little, you won’t be able to hire who …

  • 10 Tips to Prevent Business Litigation

    September 24, 2015

    An ounce of prevention, as they say, is really just sound business practice. Litigation can be ruinously expensive and may force a business into liquidation. Even a “win” can devour the time and energy you need to …

  • Product Liability 101 for Small Importers

    September 16, 2014

    Global sourcing has lots of exciting potential. The recent entry of Alibaba.com onto the global stage along with others such as the FITA Buy/Sell Exchange, Euro Pages and Global Sources seems to presage a new …

  • Diversity, Employment Discrimination and Inclusion

    September 17, 2015

    Diversity in the workplace, a totally laudable goal, is actually harder to achieve than many employers appreciate, and ill-conceived or badly executed efforts can actually make things worse, opening the door to legal liability.  To …

  • Can An Employer Be Held Liable For An Employee's Facebook Post? [e259]

    March 14, 2016

    The guys kick off the week by discussing the lawsuit in Hawaii where an employee posted a defamatory remark about a customer and tried to hold the employer liable. They also discuss the new anti-discrimination and …

  • Can You Get Fired For Being Racist? [e215]

    August 17, 2015

    Nasir and Matt discuss how racism led to employees getting fired and another instance where a judge overturned a decision to terminate a racist employee. Transcript: NASIR: Okay. Welcome to our podcast where we cover business in …

  • Can Employers Still Use Credit History in Hiring?

    June 18, 2015

    Job seekers hate credit checks. They see it as invasive data collection with only remote relevance to job performance. It has also been argued that credit checks unfairly burden those who have or have had …

  • What to do When a Customer Accuses an Employee of Theft

    July 02, 2015

    This is one of those managerial headaches that may make life on a desert island look attractive. You don’t want to lose the customer or expose your business to accusations of wrongdoing, but you also …

  • Advertising & Marketing: A Legal Guide for Small Business

    December 16, 2014

    Staying compliant with advertising and marketing is simple if you focus on just being truthful and clear with your customers. The rest is just understanding some subtleties on how to navigate the common legal traps in …

  • The Consequences of Scraping Data From A Competitor [e221]

    September 07, 2015

    The guys discuss the lawsuit filed by PhantomAlert against Waze concerning accusations of data scraping a database. Transcript: NASIR: All right. Welcome to our podcast where we cover business in the news and add our legal twist. …

Identify potential notification obligations:

Notice may be required to the affected resident, state attorney general, or other agencies. Keep up to date with the statutes and regulatory codes in your jurisdiction.

Establish relationships with regulators and law enforcement:

Always keep the number of a contact on hand. “The Department of Justice’s first interest is to protect the victim, and second to preserve evidence, so the sooner a breach is reported the better,” says Chu.

Responding to a Breach

Even with thorough security measures, it is clear that breaches still occur. Major cases of data leaks of company data include Sony Picture Entertainment, Target, Ubiquiti Networks, and notoriously, AshleyMadison.com. The major legal issue during a breach is notice. Notification may be required to the affected resident, the state attorney general, or other agencies. Currently 47 of 50 states have specific statutes that require notification to consumers (New Mexico, South Dakota, and Alabama do not). Multistate companies must keep in mind that they may need to notify consumers with different forms across different states in order to comply with the state regulations and statutes where the company operates and/or where the consumers reside.

Chu urges companies who suffer a data breach to notify law enforcement. Chu points out that although breach notification statutes require victims to notify their customers, most statutes provide that this notification can be delayed at law enforcement’s request if law enforcement deems that such a delay would assist their investigation. In other words, it is acceptable to most states to delay notifying consumers if a company does so in order to comply with law enforcement’s requests. Addressing victim concerns that, if they reported a data breach, they would lose control of the process, Chu assures that notifying law enforcement does not mean the process will be completely taken out of the company’s control, allowing the government unfettered access to company data. “Moreover, by notifying law enforcement, victims would gain a partner who could help victims figure out who caused the data breach and the extent to which damages may have resulted,” says Chu. Indeed, agencies are making it easier for companies to come forward. The Cybersecurity Information Sharing Act, a proposed law which passed in the Senate near the end of October, provides liability protections to companies who report threat information to the government. “And that’s the key – that’s what companies have been fighting for, for several years now,” says Perry.

Emerging Trends in Cybersecurity

As experts learn more about the nature of secured data, new legislation is being passed to respond to trends in cybersecurity. A strong trend is the expansion of the definition of sensitive information. In Texas the statute was amended in June 2013. Currently, sensitive information is now defined to include social security number, driver’s license number, any account number with a security code, and health information. Another shift is that whereas statutes vaguely required notification without undue delay, statutes are being amended to provide specific notice timing, which can be anywhere from 30 to 90 days.

*The opinions presented are not necessarily those of the Department of Justice.

Read More