Companies that live by the creed “a data breach will happen” will be more prepared to minimize the chance of a breach, respond quickly to a breach, and minimize potential liability arising from a breach. One of the lessons from the JP Morgan breach a couple years ago, in which suspected Russian hackers got through several layers of sophisticated bank-regulated security is that no one is immune from data breach. It is estimated that the average cost of a data breach is over $7.2 million per breach. It is further estimated that investments in data security companies have exceeded $2 billion. In the event of a data breach, it is likely that someone is going to look to recoup these costs. Data breach, and the likelihood of it, are so well known, that companies that are not proactive are the one most likely to see liability, potentially by their own officers and directors.
What is a Data Breach? It is important to understand that a data breach is more than just online hacking. And it is important to understand that data breach is often caused by an insider. A lost unencrypted flash drive, an unsecure or uncleaned disposal of equipment (copy machines, computers), accidental disclosure, unsecure personal devices, and others are all causes of data breach. If your company has suffered any loss of data, it should at least consider whether it had a data breach. A data breach involves more than financial data. It can involve anything that could be used to steal a person’s identity, such as social security number, email combined with password, personal health information, or insider information. In the case of the recent Sony breach, the issue was the release of embarrassing internal emails.
Who is Being Impacted? Everyone. Let’s say you are on the board of a company that has a subsidiary that contracts with a vendor to process credit cards that has a contract with a bank that has customers. At least one person or company along this chain has a potential claim or threat of liability.
Where Does The Threat Of Liability Come From? In other words, who could initiate a legal action against a company that has experienced a breach? The most obvious are individual victims, often in the form of class actions. But, it is more than that. If a company has a credit card processing contract, management contract, or vendor contract, the other contract party may have a claim. There are also threats from government regulators, including the Federal Trade Commission (FTC), Securities Exchange Commission (SEC), bank regulators, state regulators, and even investors via derivative actions.
What is the Source of Liability? In order to be sued for some failure in data security, there must still be a legal source or law under which a plaintiff can initiate an action. As referenced above, such sources can be contracts, FTC regulations, SEC regulations, Health Insurance Portability and Accountability Act (“HIPAA”), common tort (usually negligence,) and 47 different State data breach laws.
Among these sources, a few are worth highlighting. First, the Third Circuit recently ruled in FTC v. Wyndham Worldwide Corporation, that the FTC has jurisdiction to regulate companies that have weak security measures. The FTC is clear that if you suffer a data breach, it does not mean the FTC is coming after you, but in the Wyndham case, the FTC alleges that data security was so weak so as to be “unfair” in the conduct of business, and that Wyndham’s privacy policies were not followed.
Second, many readers may have heard about PCI (Payment Card Industry) compliance. This is not law, but a creature of contract within the payment card industry. If your company accepts credit cards, it is likely required to be PCI compliant pursuant to its processing contracts.
Third, the 47 state data breach laws all apply after the fact, and are not entirely consistent. Complying with these acts may reduce liability under the acts themselves, but it will not reduce liability for lacking security in the first place. There is currently no federal legislation that pre-empts any state law establishing security standards or providing a post breach process. Congress recently passed differing versions of the Cybersecurity Information Sharing Act (CISA,) but this is an act designed to encourage sharing of data breach information for purposes of learning and fending off future attacks.
Why Should You Care? In addition to direct financial risk, companies that experience or are associated with data breach face lost business, reputational damage, loss of right to accept credit cards, public companies must report cyber risk factors, and there is a mergers & acquisition risk. As to the latter, acquirers are asking for representations and warranties regarding data security and including it in due diligence.
What Should My Company Do to Reduce Risk? Each of these is a topic on its own, but at a high level, a company should consider the following:
- The Board should be discussing data security and enter a summary of the discussion in the minutes. The Board should consider retaining a Chief Information Security Officer (CISO) or at least make sure data security is within the duties of the CIO/CTO. The Board should also consider establishing a data security committee.
- The company should check and test its security measures, and repeat those periodically. It helps if this is done by an independent company, which can be one of the accounting firms that audits security, or a reputable data security company. Who you use may depend on whether your company is public and/or must be PCI compliant.
- Obtain cyber-insurance separate from the general errors & omissions policy. Attempt to get coverage with sufficient limits and that covers a public relations firm.
- Carefully vet vendors and other third parties that may receive data for which your company is responsible.
- Train employees on security measures. In the event of a contentious departure, deactivate the employee’s password immediately.
- Have an Incident Response Plan (IRP) ready to go in advance.
- When an incident occurs, the first call should be to your attorney. A federal judge in Minnesota recently ruled that investigation of a data breach following contact and direction of a lawyer was privileged. The next call should be to any and all insurance carriers, and depending on the type of breach to criminal authorities.
There is a lot more detail protecting against liability for data breach, but this article outlines the most common issues and tasks.
