The gathering storm: What to expect in the future of cybersecurity litigation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2014/04/25/the-gathering-storm-what-to-expect-in-the-future-o


Navigating the fast-moving and quickly-evolving area of privacy and
cybersecurity (PCS) litigation is no easy task. Not only are the
technological challenges emerging at a lightning-quick pace, but the legal
landscape is also changing — a perfect storm for in-house counsel. In the
last article, we focused on the liability standards that companies today
are likely to confront in litigation over a data breach. In this article,
we expand on that theme by focusing on new standards for liability that
businesses may face in the future given the legislative proposals now being
considered on the federal and state levels.

By focusing on new standards that might emerge, we hope to provide a guide
for future-proofing current in-house practices. Given the intense media
attention and public scrutiny, it is very likely that some of the proposals
under consideration will be adopted. As an overview, pending legislation
has the following common themes:

- Early disclosure to consumers
- Expanded private liability for data breaches
- Compensation to consumers for data breaches
- An increasing role for state and federal regulatory agencies in data
privacy and cybersecurity issues

On the federal level, Congress is considering a variety of bills to
increase the liability of businesses that fail to safeguard consumer
information or promptly report data breaches to consumers and law
enforcement. For example, under the Data Security and Breach Notification
Act of 2014 proposed by Senators Dianne Feinstein (D-Calif.) and John
Rockefeller (D-W.Va.), businesses would be legally obligated to notify
every person in the United States believed to have been compromised by a
data breach within 30 days of the business discovering the breach. Failure
to comply with this requirement would trigger hefty civil fines of up to
$100,000 a day, with a maximum total penalty of $1 million for a single
breach.

Data breach notification is also a significant feature of the Personal Data
Privacy and Security Act of 2014 proposed by Senator Patrick Leahy (D-Vt.).
In particular, the Act would require that that businesses notify law
enforcement of data breaches no less than 10 days after discovery of the
breach if the breach involves more than 5,000 individuals or a database
containing information about more than 500,000 individuals. In turn, the
Federal Trade Commission, the U.S. Attorney General, and state attorneys
general would each be empowered to enforce this notification requirement
and penalize violators with fines of up to $11,000 per day per data breach
(with a cap of $1 million per breach).

State legislatures are no less eager than Congress to impose new
liabilities on businesses that own or maintain the personal information of
their customers. For example, on April 10, 2014, Kentucky became the 47th
state to enact a data breach notification law, leaving Alabama, New Mexico
and South Dakota as the only states to still not have such a law on the
books. Additionally, according to the National Conference of State
Legislators, “[a]t least 19 states have introduced or are considering
security breach legislation in 2014.”

In this regard, while much of new legislation being considered at the state
level merely serves to amend pre-existing laws, several of these bills
would expand private liability for data breaches in significant ways. For
example, in a bill now before the Minnesota state legislature (H.F. 2253,
introduced in February 2014), any entity conducting business in the state
would be required to inform customers of a data breach affecting the
customer’s personal information within 48 hours of the business discovering
or being notified of the breach. Businesses would also be required to
compensate consumers whose information had been breached by providing these
consumers with both one year’s worth of free credit monitoring services,
made available within 30 days of the breach, and repayment of any charges
or fees incurred by the consumer as a result of the breach. Retailers of
consumer goods and services would additionally be required to provide a
$100 gift card to each consumer whose information was breached.

New laws are not the only source of new liability in the world of PCS
litigation. Indeed, federal and state agencies are capable of raising the
bar for businesses through their rulemaking authority and their public
proclamations. Consider the following April 2014 announcement by the
Federal Financial Institutions Examination Council (FFIEC) addressing the
recently revealed “Heartbleed” vulnerability in the encryption code used by
many businesses to safeguard consumer transactions online: “Financial
institutions should operate with the assumption that encryption keys used
on vulnerable servers are no longer viable for protecting sensitive
information and should therefore strongly consider requiring users and
administrators to change passwords after applying the OpenSSL patch.” Such
language is bound to be cited by plaintiffs in asserting negligence-related
claims against financial institutions and other businesses that suffer
Heartbleed-related data breaches in the wake of the FFIEC’s advice.

In PCS litigation, preparing for tomorrow means understanding not only
where the law is right now but also the direction in which the law is
headed. On this score, Congress and state legislatures are considering a
bevy of new laws that will significantly increase the obligations and
liabilities that businesses must face in the wake of a data breach. It is
therefore critical that in-house counsel maintain a constant awareness of
these developments if they are to provide their clients with effective
advice on how to best prepare for this brave new world.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!