Cyber Security and Data Privacy

By:
David M. Governo And Nancy Kelly
on Thu, 10/26/2017

The Target, Home Depot, and most recently, Anthem Health data breaches involving the theft of the personal data of millions of customers illustrate the frequency and ferocity of cyber security threats. While these breaches have captured the focus of the media, small and mid-size businesses are victims of similar cybercrimes every day. The reality is that all companies that hold personal data or confidential business information, which includes virtually all companies, face commercial, litigation and enforcement, and reputational risks from cyber incidents. This article discusses these risks and the steps a company can take to address them.

Commercial Risks

One might think that a cyber-attack only involves loss of data. There are many types of losses, however, that can occur following a data breach. They may affect a company’s ability to conduct its business, or require the company to expend resources on new systems and equipment, forensic experts, lawyers and public relations firms. Specific types of commercial losses arise from a variety of sources and cause a wide range of damage. Examples include: (1) loss of data or the loss of use of data, caused by an employee, a contractor or a malicious attack; (2) corrupted data due to network malfunction, virus or malicious attack; and (3) an inability to conduct business due to lost or stolen data, or a denial of network access, resulting in lost revenue.

Costs associated with cyber security breaches are increasing as companies have seen almost a 10 percent increase in breach response costs since just last year (2014 Ponemon Institute Study on Cost of Cybercrime). In the aftermath of a cyber-security event, businesses will inevitably have to allocate significant resources to identify the source of the breach and take measures to ensure that it is no longer ongoing. Long-term costs can be sizable and may include: the replacement of servers that may have been compromised or damaged, the forensic costs associated with data recovery, the purchase of new software either as a replacement or to improve monitoring capabilities, and ransom payments for a denial of network access.

Commercial cyber risks are not limited to large corporations. While larger businesses can be lulled into a false sense of security because of the size and sophistication of their existing security measures, smaller companies may believe that their size shields them from cyber criminals. In fact, many breaches target small to mid-sized companies for this very reason. Hackers have the ability to scan multiple systems for weaknesses, and only focus their resources on weaker systems that are easily breached. An example of this is the massive Target data breach where hackers actually accessed Target’s point of sale payment systems through the less robust system of Target’s HVAC contractor, a much smaller company. Target’s troubles show that both large and small companies need to be vigilant about cyber threats from unexpected sources.

Litigation and Regulatory Enforcement Risks

Cyber risks include the potential costs of regulatory enforcement actions and private litigation. A regulatory action is one brought by a government agency for violation of state or federal laws regarding data privacy and security, and is often brought in the wake of a breach. Private litigation involves individuals suing for the theft or loss of their personal financial or health information, and may involve class actions files on behalf of large “classes” of individuals making claims against the same company for a data breach. Litigation and enforcement costs can be substantial and may include: legal fees, settlement costs or compensatory damage award, statutory fines, notification costs, forensic costs, and a host of other costs necessary to comply with enforcement orders, potentially including a review of all vendor contracts.

The vast majority of states have enacted breach notification statutes that dictate what must be done following the discovery of a breach. This includes reporting the incident to certain governmental agencies and notifying the affected individuals within a certain time period, ranging from five days from the discovery of the breach in California, to 45 days in states such as Ohio, Vermont and Wisconsin. Many states have also enacted mandatory compliance standards that set a baseline for how private information must be protected.

A large number of federal laws and regulations regulate data privacy measures and notification standards and vary by industry sector. Federal enforcement actions by the Federal Trade Commission and the Department of Health and Human Services have resulted in substantial fines against companies ranging from hoteliers to health care providers. The FTC simply looks at the company’s actions in hindsight and declares whether the actions taken to prevent the breach were sufficient or not. States’ attorneys general have also stepped up enforcement actions for non-compliance with state regulations. While we hear about enforcement actions against large entities such as Target and Wyndham Hotels, there is ongoing enforcement against small companies as well.

Private lawsuits also present a significant risk for a company dealing with a cyber-security breach, and some courts have begun to ease barriers to certifying a class action against a breached company. In the recent Adobe case pending in California, the court allowed a class action to move forward, even though the affected individuals could not prove fraudulent use of their identities or accounts. In allowing this class action, the court lowered the bar for the filing of such actions and opened the door to many potentially dangerous claims.

Reputational Risk

One of the most enduring risks associated with a cyber-liability event is the damage to a company’s reputation. At a time when privacy is so valued by consumers, any perception that a company’s data security is weak could negatively impact a business. As consumers become more aware of their own security, they expect their personal and credit card information to be adequately protected.

For entities that work solely with other businesses (B2B), the reputational damage arising from a cyber-security breach has the potential to negatively impact the company by driving away vendors, partners and clients. Businesses are wary of working with other companies who do not make security a priority and who have the potential to put their own data and infrastructure at risk. Companies, therefore, will steer their business toward more secure vendors.

What Can a Business Do?

Companies must take affirmative steps to mitigate cyber risk. Many states, including Massachusetts and California, require companies holding personal data to maintain specific safeguards. Regardless of whether your state has mandatory data security standards, companies should institute a written information security policy, maintain proper encryptions and firewalls, and periodically update physical security measures such as keycards and passwords. Employees should be trained on compliance with statutory requirements and best practices regarding data security and privacy. Data security procedures should be reviewed periodically to ensure they are effective. Moreover, it is crucial that all employees and vendors accept and embrace a culture of data privacy and security. Often a company’s own employees are its weakest link.

Additionally, companies should implement an incident response plan that identifies response team members, specifies their individual roles during an incident response and sets forth remedial actions to be taken. Companies may also need to retain outside counsel to assist in compliance with statutory reporting and notification requirements. Cyber liability insurance should also be considered as an additional method of mitigating cyber risks. This may be available as an endorsement to existing coverage or as a standalone policy. The key with cyber insurance is to understand the scope of the risks covered and not just the policy limits.

As all companies continue to rely upon technology to grow and evolve, they must understand and address the risks that are inherent in doing business in the information age. Those successful in doing so will gain a distinct competitive advantage.

Governo Law Firm is an 18-attorney, Boston-based firm representing individuals, manufacturers, consultants and companies of all sizes in local and national litigation, and counseling in business planning, including risk management and regulatory compliance. David Governo can be reached at dgoverno@governo.com and Nancy Kelly can be reached at nkelly@governo.com.
 

Sources