After collecting personal information, businesses must take “reasonable measures” to safeguard it. Some states, such as Florida and Alabama, have this or similar requirements in their cybersecurity statutes. On the federal level, the Federal Trade Commission (FTC) has brought more than 70 cases against companies for engaging in “unfair or deceptive cybersecurity practices.”
But what are reasonable cybersecurity measures? Fortunately, the FTC provides some guidance on what these look like. They must include many safeguards. The good news is that most effective safeguards are easy to put into place. By following these, your business should be able to adhere to cybersecurity best practices:
This is not a complete list of possible cybersecurity precautions, but these measures can prevent many data breaches. They can also help to create a culture of cybersecurity within your organization.
Another aspect of reasonable cybersecurity pertains to vendors. An outside company that has access to your business’s records, including personal information, should commit to reasonable cybersecurity practices. Any vendor contracts should require the vendors to safeguard data, notify you of a data breach and indemnify you for breach costs. You should review and renegotiate these contracts as necessary, to follow the law.
The bad news about reasonable cybersecurity? Despite your best efforts at prevention, a data breach is virtually inevitable. “It’s not a matter of if, but when,” is the common refrain. This makes your preparation and response all the more important.
If there is a data breach at your business, you should consult legal counsel immediately, because the data breach triggers statutory and contractual legal requirements. If you retain legal counsel early in the process, that can also create the benefit of the attorney-client and work-product privileges. These privileges can help you keep certain communications and information concerning the breach confidential. That way, information cannot be used against your business later, or taken out of context, in litigation.
A data breach at your business may triggers certain legal requirements:
You might be wondering: “If someone hacked my social security number, but never opened any fraudulent accounts or otherwise caused me any financial loss, can I sue the company that was hacked?”
That’s a great question and one that courts nationwide are considering. The issue is standing. If there’s no harm, what’s the foul? In 2018, the U.S. Supreme Court declined to hear a case that presented this question. So, it remains unanswered, at least on a national level. Some courts say the mere potential for identity theft is sufficient to maintain a lawsuit against the hacked company. Other courts disagree because there’s no showing of an injury, so there’s no reason to litigate—at least not yet.
While a brighter cybersecurity future may be on the horizon, businesses that are hacked may still have to spend time and money defending such lawsuits, regardless of their merit. State and federal regulators, such as the FTC, have brought enforcement actions against businesses for having poor cybersecurity practices or for not taking reasonable cybersecurity measures. The regulators deem poor cybersecurity an unfair business practice, and they have ordered businesses to take certain corrective measures and adhere to extensive reporting requirements for up to 20 years.
Businesses seeking to avoid these financial and practical burdens must be able to show that they practiced reasonable cybersecurity measures all along, but were breached nonetheless. In that scenario, the business would be well positioned to defeat lawsuits and satisfy any regulatory inquiries that arise from the data breach.
Cybersecurity law is complex. This article provides a broad overview, but it’s a good starting point on how to create a legally compliant culture of cybersecurity within your business. With these pieces in place, your business can use cybersecurity best practices to begin minimizing the chance of a data breach.
©All Rights Reserved. November, 2020. DailyDACTM, LLC d/b/a/ Financial PoiseTM
Adam Brouillet is a data privacy and cybersecurity attorney with Trenam Law in St. Petersburg, Florida. He advises clients on legal issues relating to information privacy, including cybersecurity standards, vendor contracts, insurance, business transactions, and data-breach response obligations. Adam also represents clients in commercial disputes in trial and appellate courts.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.