“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” – Robert S. Mueller, III, Director, Federal Bureau of Investigation.
With the rising use of electronically stored data, including increasing reliance on cloud storage, there has been a need for increased cybersecurity. Regarding data breach, companies face a confluence of legal issues including discrepancies in statutes. These are the basics business owners need to keep in mind:
What is a Data Breach?
Attacks on security come in various forms ranging from nuisance (spam, botnets) to intrusive (data theft, theft of intellectual property or monetizable data) and in extreme cases can be disruptive or destructive (denial of service, defamation and defacement, deleted data).
There were 783 data breaches in 2014 according to the Identity Theft Resource Centre as reported by the Economist. The average cost to U.S. companies following a data breach in 2014 was $6.5 million. Costs include: reputation damage, loss of customers, forensic investigation and remediation, credit monitoring for victims, lost revenue, fines and costs for added security, intellectual property theft, litigation expenses, and more. In Texas, the penalty can be between $2,000-$50,000 per violation. The average cost of legal fees is $575,000, not including settlement costs. Furthermore, companies can face nonmonetary consequences if sued for data breach. In the case of FTC v. Wyndham Worldwide Corporation, Wyndham recently settled with FTC and agreed to 20 years of monitoring. “The consequences of an intrusion are more than just money sometimes,” notes Michael Chu* of the U.S. Department of Justice. “It’s one thing to lose money, but it’s another thing to have the reputation or the goodwill that your company has built up over the years to be eroded away,” says Chu.
The FTC has brought over 50 cases against companies engaged in unfair or deceptive practices that have put consumer data at unreasonable risk since 2002. Since there is no comprehensive federal code, the FTC uses a case-by-case approach which makes it difficult for companies to predict what will trigger agency action. However, there are basic steps you can take to make sure you are taking reasonable steps to protect your company’s data.
How to prepare for a breach
The Economist estimates that the average time between an attacker breaching a network and its owner noticing the intrusion is 205 days. Therefore a company protocol to enable swift detection and reaction is key.
Periodically review an incident response plan:
Make sure the plan is clearly laid out and kept up to date with your company’s current information systems. In response to Obama’s Executive Order in February of 2013, the National Institute of Standards and Technology released the Cyber Security Framework for Critical Infrastructure Organizations. Nicole Perry, an attorney who has handled cybersecurity cases at Jones Day, recommends this document as a starting point for forming a plan. “It’s a framework that provides guidelines for how companies can come up with security policies and incident response plans,” Perry explains.
Identify your team:
A good response team should include management, IT & security, legal experts, compliance, public relations, customer care, investor relations, human resources.
Conduct tabletop exercises:
According to Christopher Koa, an attorney who leads cybersecurity, data breach and technology transactions matters at Dorsey & Whitney, the scenario of a data breach should be re-enacted in a time of peace. Ask your team what the worst case scenario could be and practice the response strategy before a breach occurs. Decide the order of who to notify first to maintain calm in the event of a breach.
Review insurance policies:
Perry also recommends cybersecurity insurance as a means to protect your company. First party insurance may allow for reimbursement of direct costs, while third party insurance may allow for reimbursement of legal costs and regulatory fines. However, keep in mind reimbursement is not a guarantee.
Identify potential notification obligations:
Notice may be required to the affected resident, state attorney general, or other agencies. Keep up to date with the statutes and regulatory codes in your jurisdiction.
Establish relationships with regulators and law enforcement:
Always keep the number of a contact on hand. “The Department of Justice’s first interest is to protect the victim, and second to preserve evidence, so the sooner a breach is reported the better,” says Chu.
Responding to a Breach
Even with thorough security measures, it is clear that breaches still occur. Major cases of data leaks of company data include Sony Picture Entertainment, Target, Ubiquiti Networks, and notoriously, AshleyMadison.com. The major legal issue during a breach is notice. Notification may be required to the affected resident, the state attorney general, or other agencies. Currently 47 of 50 states have specific statutes that require notification to consumers (New Mexico, South Dakota, and Alabama do not). Multistate companies must keep in mind that they may need to notify consumers with different forms across different states in order to comply with the state regulations and statutes where the company operates and/or where the consumers reside.
Chu urges companies who suffer a data breach to notify law enforcement. Chu points out that although breach notification statutes require victims to notify their customers, most statutes provide that this notification can be delayed at law enforcement’s request if law enforcement deems that such a delay would assist their investigation. In other words, it is acceptable to most states to delay notifying consumers if a company does so in order to comply with law enforcement’s requests. Addressing victim concerns that, if they reported a data breach, they would lose control of the process, Chu assures that notifying law enforcement does not mean the process will be completely taken out of the company’s control, allowing the government unfettered access to company data. “Moreover, by notifying law enforcement, victims would gain a partner who could help victims figure out who caused the data breach and the extent to which damages may have resulted,” says Chu. Indeed, agencies are making it easier for companies to come forward. The Cybersecurity Information Sharing Act, a proposed law which passed in the Senate near the end of October, provides liability protections to companies who report threat information to the government. “And that’s the key – that’s what companies have been fighting for, for several years now,” says Perry.
Emerging Trends in Cybersecurity
As experts learn more about the nature of secured data, new legislation is being passed to respond to trends in cybersecurity. A strong trend is the expansion of the definition of sensitive information. In Texas the statute was amended in June 2013. Currently, sensitive information is now defined to include social security number, driver’s license number, any account number with a security code, and health information. Another shift is that whereas statutes vaguely required notification without undue delay, statutes are being amended to provide specific notice timing, which can be anywhere from 30 to 90 days.
*The opinions presented are not necessarily those of the Department of Justice.