After collecting personal information, businesses must take “reasonable measures” to safeguard it. Some states, such as Florida and Alabama, have this standard (or a similar one) in their cybersecurity statutes. On the federal level, the Federal Trade Commission has brought numerous enforcement actions against companies for engaging in “unfair” cybersecurity practices. This legal authority provides some guidance on what “reasonable” cybersecurity measures look like.
Reasonable cybersecurity measures include numerous safeguards. The good news is, many effective safeguards are easy to implement. These include:
Although this is not a complete list of possible cybersecurity precautions, taking these measures can prevent many data breaches and help create a “culture of cybersecurity” within the organization.
[Editor’s note: for more information on cybersecurity, read “The Legal Implications of Cyber Security When Collecting Personal Information”]
Another aspect of “reasonable” cybersecurity pertains to vendors. Any outside company with access to your business’s records, including personal information, should commit to reasonable cybersecurity practices as well. Contracts with such vendors should require the vendors to safeguard data, notify you of a breach, and indemnify you for breach costs. These contracts should be reviewed and renegotiated as necessary to comply with the law.
The bad news about “reasonable cybersecurity” is that, despite your best efforts at prevention, a data breach is virtually inevitable. “It’s not a matter of if, but when” is the common refrain. This makes preparation and response all the more important.
A data breach triggers many legal requirements. Chief among them is the requirement to notify individuals whose personal information was accessed. This can get a bit tricky. With the assistance of legal counsel and a forensic investigator, the business must determine whether “personal information,” as legally defined, was accessed. If it was, the business must determine how many individuals were affected and where they reside. Those questions will determine which laws apply and whether other parties need to be notified of the breach.
Depending on the size and scope of the breach, the business may be required to notify their state attorneys general, consumer reporting agencies and the news media. If the breach involved credit card data, the business must notify the appropriate credit card processors. If the breached company was a vendor for another company, the breached vendor must notify its client. Notifications must be made within specified time periods after the breach. Depending on which state’s law applies, notifications must contain certain information about the breach. Failing to comply with notification laws can result in substantial financial penalties (up to $500,000 in Florida, for example). These specific requirements and penalties vary from state to state.
With the assistance of legal counsel and a forensic investigator, the business must determine whether “personal information,” as legally defined, was accessed.
If the business has cybersecurity insurance, the insurer should be notified within the requirements of the policy.
Legal counsel should be consulted immediately because the data breach triggers the referenced statutory and contractual legal requirements. Retaining legal counsel early in the process can also create the benefit of the attorney-client and work-product privileges. These privileges can keep certain communications and information concerning the breach confidential. That way, information cannot later be used against the business, or taken out of context, in litigation.
Finally, the vulnerability that allowed the data breach should be repaired to prevent the same breach from happening again. Cybersecurity law expects businesses to learn from their mistakes.
You might be wondering, if someone hacked my social security number, but never opened any fraudulent accounts or otherwise caused me any financial loss, can I really sue the company that was hacked?
That’s a great question and one that courts nationwide are considering. The issue is standing. If there’s no harm, what’s the foul? The U.S. Supreme Court recently declined to hear a case that presented this question. So, it remains unanswered (at least on a national level). Some courts say the mere potential for identity theft is sufficient to maintain a lawsuit against the hacked company; other courts disagree because there’s no showing of an injury and, thus, no reason to litigate, at least not yet.
Either way, businesses that are hacked may have to spend time and money defending such lawsuits, regardless of their merit.
[Editor’s Note: for more on the subject of data security and privacy, check out our webinar series, “Cybersecurity and Data Privacy 2018”]
In addition, state and federal regulators, such as the Federal Trade Commission, have brought enforcement actions against businesses for having poor cybersecurity practices or not taking reasonable cybersecurity measures. The regulators have deemed poor cybersecurity as an unfair business practice and have ordered businesses to take certain corrective measures and adhere to extensive reporting requirements for many years, sometimes up to 20 years.
Obviously, businesses want to avoid these financial and practical burdens. The key is being able to show that the business practiced reasonable cybersecurity measures all along, but was breached nonetheless. In that scenario, the business would be well positioned to defeat lawsuits and satisfy regulatory inquiries arising from the data breach.
The key is being able to show that the business practiced reasonable cybersecurity measures all along, but was breached nonetheless.
As you can see, cybersecurity law has many facets. This article provides a very broad overview, but it is a good starting point for creating a legally compliant “culture of cybersecurity” within your business. With these pieces in place, a business can begin to minimize the chance of a data breach using reasonable cybersecurity measures.
Then sign up to receive our weekly Financial Poise newsletter, our take on the most relevant and topical business, financial and legal issues affecting investors and small business owners.
Always Plain English. Always Objective. Always FREE.
Adam Brouillet is a data privacy and cybersecurity attorney with Trenam Law in St. Petersburg, Florida. He advises clients on legal issues relating to information privacy, including cybersecurity standards, vendor contracts, insurance, business transactions, and data-breach response obligations. Adam also represents clients in commercial disputes in trial and appellate courts.
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.