As the recent Target and Neiman Marcus data breaches have made clear, cyber security is one of the top threats to business today. These threats can be devastating to companies - damaging customer confidence, the company brand, and the bottom line by increasing costs through remediation costs, lost revenues and customers, litigation, and fines. Governments and customers are now holding businesses accountable for inadequate protection of customer data.
It has been reported that 24% of data breaches occur in retail environments and restaurants. And the average total cost to a US company of a data breach is approximately $5.4 million. There are 46 different state statutory schemes and a host of federal regulations that apply to the collection and storage of data and the prevention and reporting of a breach. These rules often contradict. An interstate or internet retailer, however, must comply with the laws of the states in which a customer makes a purchase.
While consultants, IT experts, insurance and security firms can be integral parts of a Data Protection plan, they are only players on the team. In fact, many experts are engaging in breach event information sharing to assist each other in identifying and defending against cyberthreats. Cyber security concerns are now part of doing business, and general counsel and C-Suite executives must be ready to guide their companies through these complex issues.
Prevention
Prevention is the first step to minimizing cyber security liability. The following steps can help minimize the cost and likelihood of security breaches:
• Security measures before a breach. Studies have found that having an incident response plan, establishing a strong security infrastructure, and appointing a Chief Information Security Officer can lower the costs of a data breach by approximately 50%.
• Cyber-security audits. Businesses should conduct regular cyber-security audits and limit the access of sensitive data by third parties and employees.
• Cyber-security insurance. Businesses should review insurance policies to determine whether and to what extent they are covered for cyber-security threats.
• Encryption. If a data breach occurs, encryption can help minimize liability.
Notification
If a data breach occurs, businesses must immediately determine whether they have notification obligations under federal or state law. Congress has yet to enact comprehensive federal law governing notification in the private sector, so businesses must conduct a state- and industry-specific analysis. The following are examples of notification obligations:
• Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act. HIPAA requires covered entities to protect against reasonably anticipated threats or hazards to security. The HITECH Act requires covered entities and business associates to notify the individuals whose protected health information was accessed no later than 60 days after the breach was discovered. If the breach affects more than 500 individuals, the law also requires notification within 60 days after the breach was discovered to the US Department of Health and Human Services and the media.
• Gramm-Leach-Bliley Act. This act requires financial institutions to publicize their privacy policies and establish internal safeguards and procedures to protect customer information. Related guidelines require covered financial institutions to notify customers whose personal information has been subject to unauthorized access or use if misuse of the customer’s information has occurred or is reasonably possible, unless law enforcement determines that notification will interfere with a criminal investigation.
• Securities & Exchange Commission. The SEC has issued guidance stating that publicly traded companies should report certain instances of cyber incidents.
• State law. Currently, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information.
Potential Litigation
Businesses should be ready for litigation if a data breach occurs. Potential claims by private parties and the government include:
• State-law claims. Businesses could face suits under individual states’ consumer protection laws, tort and contract law, fiduciary requirements, and other cyber security rules.
• FTC Safeguards Rule. The FTC has brought numerous enforcement actions to address whether businesses security systems are reasonable and appropriate to protect consumer information.
• SEC Enforcement Actions. The SEC’s Division of Corporation Finance has taken the position that public companies should disclose their risk of cyber incidents. Failure to disclose cyber security breaches or risks could lead to actions on security anti-fraud provisions like Rule 10b-5 or books and records violations under Rule 13b2-2.
Conclusion
A business’s cyber-security obligations are too complex to address in this blog. Regardless, it is critical for businesses to be prepared. In house counsel are invited to join Polsinelli attorney Leon Silver and Kevin Morgan of Grant Thornton at DRI’s 2014 Retail & Hospitality Litigation and Claims Management Seminar, May 15, 2014 in Chicago at the Westin Chicago River North Hotel for a presentation titled “Cybersecurity and Data Governance: The 21st Century Legal Issue.”
