The Intersection of Law, Cybersecurity, and Data Breaches
In 2012, Robert Mueller famously professed, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”[1] While that statement still rings true five years later, governing bodies are continuing to work diligently to enact laws that place heightened scrutiny on corporate data security measures.[2] As a result, proactive and reactive data security measures––including data breach incident response––must be regarded not only as cyber or IT issues but also as legal issues.
To that end, corporate decision-makers, including legal officers, must understand this simple reality: Cybercrime is lucrative,[3] cybercrime is increasing, governing bodies are placing heightened scrutiny on corporate data security, and plaintiffs’ lawyers and government agencies are ready to hold businesses accountable for poor data security practices. It is therefore incumbent on businesses––large and small––to stop and assess their corporate data security measures. The following may be used as a guide:
Do you have information security and cybersecurity policies and procedures?
Is your IT department taking active, reasonable steps to ensure that your networks and servers are secure? Is your IT infrastructure up to date?
Are you compliant with relevant cybersecurity, data protection, and privacy laws and regulations?
Are senior officers or board of directors informed on cybersecurity measures from both the technology and legal perspectives?
Do you have cybersecurity (data breach liability) insurance?
Do you have a data breach incident response plan?
Do you understand how the attorney-client privilege and work product doctrine can be used to protect your business during data breach incident response measures?
Unfortunately, cybercrime is an area of law where the victim can be held liable for the consequences of another person’s malicious act. It’s called malware for a reason.[4] As we’ve recently seen with the Equifax breach and others, it’s becoming commonplace for businesses to face post-breach lawsuits for failing to take adequate––reasonable––data security measures. Remember, as the number of data breaches continues to rise,[5] so too will the number of legal issues that businesses encounter. Therefore, business leaders should take proactive measures to understand the intersection of law and cybersecurity (particularly in data breaches) in order to avoid costly mistakes.
_____________________________
[1] Robert S. Mueller, Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies, RSA Cybersecurity Conference (Mar. 1, 2012), available at https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies (last visited Nov. 25, 2017).
[2] See, e.g., Cybersecurity Requirements for Financial Services Companies, 23 NYCRR § 500 et seq. (requiring, among other things, penetration testing, risk assessment, encryption, incident response plan, and “Senior Officer,” Board of Directors, or Board Committee approval of the organization’s cybersecurity policies and procedures).
[3] Cyber crime is lucrative––it really is. In fact, ransomware is a billion-dollar industry (and rising). It shouldn’t be surprising. See e.g., Ransomware took in $1 billion in 2016--improved defenses may not be enough to stem the tide, available at https://www.csoonline.com/article/3154714/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html (last visited November 25, 2017); see also, The $1 billion industry you don't want any part of, and how to protect your business from it, available at https://www.bizjournals.com/bizjournals/news/2016/12/15/the-1-billion-industry-you-dont-want-any-part-of.html (last visited November 25, 2017).
[4] Malicious software.
[5] See, 2016 Data Breaches, Identity Theft Resource Center, http://www.idtheftcenter.org/2016databreaches.html (last visited November 25, 2017) (noting an increase in data breaches of over 40% from 2015).
DISCLAIMER: This post is for informational purposes only and may be construed as attorney advertising in some jurisdictions. The information provided above is not intended to be legal advice and should not be construed or relied upon as legal advice. If you need legal advice, please consult an attorney.