Data breaches have happened since the earliest days of recorded information, and recently have led to the downfall of CEO’s. As companies collect more and more data and consumers seek convenience while relying on technology, the potential damage from cyber security breaches and data stealing continue to escalate. If a client you are representing is caught in one of these internet break-ins; who is ultimately liable?
State by State
Currently cyber security is regulated at the State level as opposed to the Federal level. Right now forty-seven of the fifty States have cyber security or data protection laws in place, with a proposal in New Mexico for one that calls for hacked businesses to report to their customers a data breach within 45 days. This leaves South Dakota and Alabama as the only States in the Union to have not addressed this critical area of consumer protection.
There is discussion to move cyber security to a Federal level of legality as a tremendous amount of interstate commerce occurs via the internet, and many of the attacks to steal data are implemented over seas. Given the political climate it is unlikely that this will happen in the next few years.
Many states have recently strengthened their data laws to protect the consumers, most notably Florida and Delaware, both of which use the standard of “reasonable” actions by the business to dispose of consumer data or protect it. “Reasonable” however is a moving standard as the criminal element continuously improves their skill set in data attacks, and it literally takes only a moment’s lapse of judgment by an employee to open the door to a firm’s data.
Several well-known data breaches have actually happened from a physical access of information instead of a hack. A stolen laptop is essentially a skeleton key for criminals, and all companies should implement policies as to how to address this issue. Remote data wipe processes should be standard operating procedure.
Many companies attempt to contractually shift the risk and liability for data security to third party providers that focus on this, allowing these organizations to bring to bear greater resources due to their specialty in data transfer and security as opposed to selling garden hoses or muffins. These cyber protection agencies are employed in addition to the payment processors such as Square or the credit card companies, who have their own procedures in place to protect consumer data and assume partial responsibility for protection thereof. Real time threat assessment can help locate a breach before the stolen data can be misused to harm clients, thus reducing the damage and ultimate liability to companies.
Ultimately, anyone who has access to the data could be held liable if information falls into the wrong hands, as California’s laws clearly state. Thus everyone along the knowledge chain needs to take actions to prevent stealing of the information they possess. Read our previous blog about cyber liability insurance here.
Knowledge is Power
Data is the driving force in the interconnected Web 2.0 world we live in. Consumers have shifted away from cash for convenience, and huge amounts of information and money are hidden behind electronic locks that can be breached by keystroke or old fashioned snooping techniques. Both consumers and companies need to be smart about who they give their information to and companies have an obligation to keep consumer information safe.