Financial Poise
Personal Data Breach

When Collecting Personal Data, Restraint and Insurance are Key

Understand the Stakes of Collecting Personal Data and the Methods to Avoid Becoming a Victim-Defendant

Cybersecurity is a growing concern for companies big and small, but especially for those that are currently collecting personal data, whether from customers or employees. Consider the following statistics from Verizon’s 2020 Data Breach Investigations Report, which analyzed 157,525 cybersecurity incidents.

  • 86% of breaches were financially motivated
  • 58% of breaches involved personal data, nearly twice the number of 2019 breaches
  • 28% of breaches involved small businesses
  • Credential theft, social attacks (i.e., phishing and business email compromise) and errors caused the majority of breaches
  • 70% of breaches were caused by outsiders

Cybersecurity law has been called many things in recent years: evolving, complex, varied, cutting-edge—even hilarious. Ok, maybe not the last one. But I would offer another phrase that can serve as a key takeaway from this article. This phrase also highlights the importance of strong cybersecurity from a legal perspective when collecting personal information. That phrase would be: victim-defendants.

What does this phrase mean exactly? If victimized by a hacker, your business could be sued as a result of the data breach. So, while you may be the victim of a breach, you may also have to act as a defendant in court.

How a Data Breach of Personal Information Is Different

Businesses are accustomed to protecting their own sensitive information, such as trade secrets, other intellectual property and financial information. If that information were stolen, the business would have a claim against the bad actor and wouldn’t necessarily expect to be sued.

Cybersecurity law is different, because businesses often are sued after a data breach.

If you think of personal information as belonging to the customers or employees who provided their data, rather than as belonging to the business, you’ll see why cybersecurity raises many legal issues. You’ll also see how a business victimized by a data breach can become a defendant in a lawsuit.

The following are some of the major aspects of cybersecurity law. Understanding these issues will go a long way toward creating a legally compliant cybersecurity program and avoiding becoming a victim-defendant after a data breach.

The Basics of Collecting Personal Data

Cybersecurity law pertains to when an individual’s “personal information” is stolen or otherwise accessed by someone without authority. Businesses should understand what constitutes “personal information” as they often hold more of it than they realize.

Generally, personal information is someone’s name in combination with another valuable piece of data about that person, such as:

  • Social security number
  • Driver’s license number
  • Government-issued identification number
  • Financial account number
  • Medical information
  • Biometric data (e.g., fingerprints)
  • Login credentials to an online account

Think of personal information as data that can be used to steal someone’s identity (credit card or healthcare fraud) or lead to information that can indirectly be used to steal someone’s identity (login credentials to an online account).

As explained below, businesses have legal obligations when collecting personal data to safeguard against and respond to a data breach appropriately.

The Need for Cybersecurity Insurance

Businesses collecting personal information electronically should have cybersecurity insurance. As Shark Tank’s Robert Herjavec put it, “We’re in a very challenging time where warfare is being fought in cyberspace, and the threats aren’t going to slow down anytime soon.”

Cybersecurity insurance is typically a separate policy or a rider to an existing policy. It is often overlooked by businesses, because they don’t realize that general liability or crime policies often exclude coverage for data breaches. The best practice is to make sure adequate cybersecurity insurance coverage is in place.

The cybersecurity policy should cover the common causes of a data breach, such as:

  • Phishing
  • Business email compromise
  • Ransomware
  • Software or network vulnerabilities

The cybersecurity policy also should cover the common costs of a data breach, such as:

  • Notification expenses
  • Forensic expenses
  • Legal fees
  • Loss of business
  • Data recovery costs
  • Cyber-extortion loss (ransomware)
  • Payment card penalties
  • Regulatory fines
  • Litigation costs

In other words, the cybersecurity insurance policy should cover expenses incurred both as a victim and as a defendant.

Collect and Store Personal Data Only by Necessity

If you view each piece of personal information as a potential liability, you will be more selective in the information you collect and store. The bottom line from a legal  standpoint is simple:

  1. Collect only the personal information you need to operate the business.
  2. Keep personal data only as long as necessary to serve its purpose.

When collecting personal data from individuals, businesses should assess and identify the need for it. If the rationale for collecting certain information is along the lines of, “We’ve always done it this way, because it’s on our form,” then your business should consider stopping the collection altogether.

Likewise, if the business maintains records indefinitely “just because” or without any continued need for the personal information, that information should be deleted or destroyed, unless, of course, the information must be kept under another existing law (e.g., tax law).

Each piece of personal information represents a potential notification the business would have to send after a data breach—and a potential plaintiff the business would have to defend against in court.


[Editor’s Note: To learn more about this and related topics, you may want to attend the following webinars: Introduction to US Privacy and Data Security: Regulations and Requirements; Introduction to EU General Data Protection Regulation: Planning, Implementation, and Compliance and Data Breach Response: Before and After the Breach. This is an updated version of an article originally published on August 14, 2018.]

©All Rights Reserved. April, 2021.  DailyDACTM, LLC d/b/a/ Financial PoiseTM

About Adam Brouillet

Adam Brouillet is a data privacy and cybersecurity attorney with Trenam Law in St. Petersburg, Florida. He advises clients on legal issues relating to information privacy, including cybersecurity standards, vendor contracts, insurance, business transactions, and data-breach response obligations. Adam also represents clients in commercial disputes in trial and appellate courts.

View all articles by Adam »

Article Comments

>