Reasonable Measures in Cybersecurity: Guidelines for Breach Prevention and Response

From Responding to a Data Breach to Protecting Personal Data, Here’s How Your Business Can Create A Culture of Cybersecurity

After collecting personal information, businesses must take “reasonable measures” to safeguard it. Some states, such as Florida and Alabama, have this or similar requirements in their cybersecurity statutes. On the federal level, the Federal Trade Commission (FTC) has brought more than 70 cases against companies for engaging in “unfair or deceptive cybersecurity practices.”

Putting Cybersecurity Safeguards Into Place

But what are reasonable cybersecurity measures? Fortunately, the FTC  provides some guidance on what these look like. They must include many safeguards. The good news is that most effective safeguards are easy to put into place. By following these, your business should be able to adhere to cybersecurity best practices:

1. Require all employees with access to personal information to use strong passwords.
2. Restrict employees’ access to personal information to a “need-to-know” basis.
3. Train employees on basic cybersecurity best practices and coach them on how to take precautions, such as learning how to identify scams and not falling for phishing emails.
4. Use multi-factor authentication for remote access to personal information.
5. Update software and operating systems with the latest security patches.

This is not a complete list of possible cybersecurity precautions, but these measures can prevent many data breaches. They can also help to create a culture of cybersecurity within your organization.

Another aspect of reasonable cybersecurity pertains to vendors. An outside company that has access to your business’s records, including personal information, should commit to reasonable cybersecurity practices. Any vendor contracts should require the vendors to safeguard data, notify you of a data breach and indemnify you for breach costs. You should review and renegotiate these contracts as necessary, to follow the law.

The bad news about reasonable cybersecurity? Despite your best efforts at prevention, a data breach is virtually inevitable. “It’s not a matter of if, but when,” is the common refrain. This makes your preparation and response all the more important.

Responding to a Data Breach

If there is a data breach at your business, you should consult legal counsel immediately, because the data breach triggers statutory and contractual legal requirements. If you retain legal counsel early in the process, that can also create the benefit of the attorney-client and work-product privileges. These privileges can help you keep certain communications and information concerning the breach confidential. That way, information cannot be used against your business later, or taken out of context, in litigation.

A data breach at your business may triggers certain legal requirements:

1. The first is that you must notify individuals who had their personal information accessed. This can get a bit tricky. With the assistance of legal counsel and a forensic investigator, you must determine whether “personal information,” as legally defined, was accessed. If it was, you must determine how many individuals were affected and where they live. Those questions will determine which laws apply and whether other parties need to be notified of the breach.
2. Depending on the size and scope of the breach, your business may need to notify your state’s attorney general and consumer reporting agencies.
3. If the breach involved credit card data, you must notify the appropriate credit card processors.
4. If your company was a vendor for another company, you must notify your client.
5. All notifications must be made within specified time periods after the breach and, depending on which state’s law applies, they must contain certain information about the breach. Failing to follow notification laws can result in substantial financial penalties (e.g. up to $500,000 in Florida), though these specific requirements and penalties vary from state to state.
6. If your business has cybersecurity insurance, the insurer should be notified as within the requirements of the policy.
7. Finally, you must repair the vulnerability that allowed the data breach to prevent the same breach from happening again. Cybersecurity law expects businesses to learn from their mistakes.

Can You Be Sued If Your Business Is Hacked?

You might be wondering: “If someone hacked my social security number, but never opened any fraudulent accounts or otherwise caused me any financial loss, can I sue the company that was hacked?”

That’s a great question and one that courts nationwide are considering. The issue is standing. If there’s no harm, what’s the foul? In 2018, the U.S. Supreme Court declined to hear a case that presented this question. So, it remains unanswered, at least on a national level. Some courts say the mere potential for identity theft is sufficient to maintain a lawsuit against the hacked company. Other courts disagree because there’s no showing of an injury, so there’s no reason to litigate—at least not yet.

It’s Essential to Show You Followed Cybersecurity Best Practices

While a brighter cybersecurity future may be on the horizon, businesses that are hacked may still have to spend time and money defending such lawsuits, regardless of their merit. State and federal regulators, such as the FTC, have brought enforcement actions against businesses for having poor cybersecurity practices or for not taking reasonable cybersecurity measures. The regulators deem poor cybersecurity an unfair business practice, and they have ordered businesses to take certain corrective measures and adhere to extensive reporting requirements for up to 20 years.

Businesses seeking to avoid these financial and practical burdens must be able to show that they practiced reasonable cybersecurity measures all along, but were breached nonetheless. In that scenario, the business would be well positioned to defeat lawsuits and satisfy any regulatory inquiries that arise from the data breach.

Cybersecurity law is complex. This article provides a broad overview, but it’s a good starting point on how to  create a legally compliant culture of cybersecurity within your business. With these pieces in place, your business can use cybersecurity best practices to begin minimizing the chance of a data breach.

---

[Editor’s Note: To learn more about this and related topics, you may want to attend the following webinars: Data Privacy Compliance 2020, Introduction to US Privacy and Data Security: Regulations and Requirements 2020, Cyber Security & Data Privacy 2019. This is an updated version of an article originally published on September 14, 2018.]

©All Rights Reserved. November, 2020.  DailyDAC^TM, LLC d/b/a/ Financial Poise^TM