Cybersecurity is a growing concern for companies big and small, but especially for those that are currently collecting personal data, whether from customers or employees. Consider the following statistics from Verizon’s 2020 Data Breach Investigations Report, which analyzed 157,525 cybersecurity incidents.
Cybersecurity law has been called many things in recent years: evolving, complex, varied, cutting-edge—even hilarious. Ok, maybe not the last one. But I would offer another phrase that can serve as a key takeaway from this article. This phrase also highlights the importance of strong cybersecurity from a legal perspective when collecting personal information. That phrase would be: victim-defendants.
What does this phrase mean exactly? If victimized by a hacker, your business could be sued as a result of the data breach. So, while you may be the victim of a breach, you may also have to act as a defendant in court.
Businesses are accustomed to protecting their own sensitive information, such as trade secrets, other intellectual property and financial information. If that information were stolen, the business would have a claim against the bad actor and wouldn’t necessarily expect to be sued.
Cybersecurity law is different, because businesses often are sued after a data breach.
If you think of personal information as belonging to the customers or employees who provided their data, rather than as belonging to the business, you’ll see why cybersecurity raises many legal issues. You’ll also see how a business victimized by a data breach can become a defendant in a lawsuit.
The following are some of the major aspects of cybersecurity law. Understanding these issues will go a long way toward creating a legally compliant cybersecurity program and avoiding becoming a victim-defendant after a data breach.
Cybersecurity law pertains to when an individual’s “personal information” is stolen or otherwise accessed by someone without authority. Businesses should understand what constitutes “personal information” as they often hold more of it than they realize.
Generally, personal information is someone’s name in combination with another valuable piece of data about that person, such as:
Think of personal information as data that can be used to steal someone’s identity (credit card or healthcare fraud) or lead to information that can indirectly be used to steal someone’s identity (login credentials to an online account).
As explained below, businesses have legal obligations when collecting personal data to safeguard against and respond to a data breach appropriately.
Businesses collecting personal information electronically should have cybersecurity insurance. As Shark Tank’s Robert Herjavec put it, “We’re in a very challenging time where warfare is being fought in cyberspace, and the threats aren’t going to slow down anytime soon.”
Cybersecurity insurance is typically a separate policy or a rider to an existing policy. It is often overlooked by businesses, because they don’t realize that general liability or crime policies often exclude coverage for data breaches. The best practice is to make sure adequate cybersecurity insurance coverage is in place.
The cybersecurity policy should cover the common causes of a data breach, such as:
The cybersecurity policy also should cover the common costs of a data breach, such as:
In other words, the cybersecurity insurance policy should cover expenses incurred both as a victim and as a defendant.
If you view each piece of personal information as a potential liability, you will be more selective in the information you collect and store. The bottom line from a legal standpoint is simple:
When collecting personal data from individuals, businesses should assess and identify the need for it. If the rationale for collecting certain information is along the lines of, “We’ve always done it this way, because it’s on our form,” then your business should consider stopping the collection altogether.
Likewise, if the business maintains records indefinitely “just because” or without any continued need for the personal information, that information should be deleted or destroyed, unless, of course, the information must be kept under another existing law (e.g., tax law).
Each piece of personal information represents a potential notification the business would have to send after a data breach—and a potential plaintiff the business would have to defend against in court.
©All Rights Reserved. April, 2021. DailyDACTM, LLC d/b/a/ Financial PoiseTM
Adam Brouillet is a data privacy and cybersecurity attorney with Trenam Law in St. Petersburg, Florida. He advises clients on legal issues relating to information privacy, including cybersecurity standards, vendor contracts, insurance, business transactions, and data-breach response obligations. Adam also represents clients in commercial disputes in trial and appellate courts.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.