Data Breach: The Legal Implications
A data breach can have potentially disastrous consequences for any business. The prospect of hefty fines and reputational damage are just the tip of the iceberg. If not handled swiftly and carefully, a data breach can have other long term negative effects on a business, hampering its commercial recovery and its position in the marketplace.
But, preparing for such a daunting incident can help to reduce the amount of damage and speed up the recovery process, if the worst happens.
I entered the IT industry at a time when personal computers were just starting to appear on the scene. The first IBM PC was fresh out of the stalls, and businesses that were sending their data to a mainframe computer bureau were contemplating the move to an in-house solution for their accounts and payroll.
As personal computers and local area networks became commonplace, the worst thing that could happen was not a hardware failure, but the loss of precious data, which could cause the total collapse of a business - and often did!
You’d think that an effective data backup regime would be the #1 top priority for any business. Sadly, countless numbers of businesses suffered the painful consequences of inadequate backup policies and procedures. Even some companies that dutifully backed up their data on a daily basis failed to store their backup tapes in a secure fire-proof safe - or better still - off site. Unsurprisingly, those businesses that suffered a fire saw their data go up in smoke with the building.
Fortunately, most businesses are a more diligent with their backup procedures these days.
However, things have changed in our rapidly advancing commercial world. Running a business today is very different to the way it was back in the ‘80’s. The internet has not only brought an ever-increasing choice of digital solutions for processing information, but also much bigger threats to the data we process.
It’s no longer just “our” data
The data businesses process today involves a great deal more personal information than ever before. And this data can often involve highly sensitive information about individuals.
Data privacy and data protection represents the biggest game-changer for businesses in modern times. New and revised laws to protect personal data and the individuals it concerns has become sacrosanct.
Any organization that collects, stores and processes personal information are now held to account, for the protection of that data, as well as the protection of peoples’ privacy and rights. Failure to safeguard against ever more sophisticated cyber attacks - or even negligent actions - can now lead to heavy financial penalties and adverse effects on a company’s good standing.
But even the most rigorous defenses can not be impervious to a cyber-attack and the inevitable data theft that often accompanies such an incident.
What exactly is a data breach?
A data breach, according to Technopedia, is an incident that involves the unauthorized or illegal viewing, access or retrieval of data by an individual, application or service. It is a type of security breach specifically designed to steal and/or publish data to an unsecured or illegal location.
A data breach may result in data loss, including financial, personal and health information. A hacker also may use stolen data to impersonate himself to gain access to a more secure location. For example, a hacker's data breach of a network administrator's login credentials can result in access of an entire network.
Make no mistake, a data breach can have devastating consequences. In 2018 the Ponemon Institute conducted a study revealing that the global average cost of a data breach is $3.86 million, with an average cost of $148 for each lost or stolen record.
A data breach can also damage stock prices for large multinationals. For example, the ICO fine imposed on British Airways saw shares slide down by 2 percent. But the reputational damage incurred can have a long term effect on consumer loyalty, and reduced trust in the marketplace.
Meanwhile, the results for small-medium businesses can be fatal, with most SMEs unable to maintain business operations for no longer than six months following a cyber-attack.
Organizations that collect and digitally store personal information are legally required to implement “reasonable” data protection measures. Depending on where a company does business, it will be subject to legislation that covers data protection and data privacy. Companies that sell products and services to countries within the European Union must comply with the EU’s General Data Protection Regulation (GDPR), while in the United States, with no federal privacy law yet in place, individual state laws provide varying degrees of protection for consumers.
California, New York and Nevada have led the field in state-level consumer privacy, with Nevada’s Consumer Privacy Law due to be enacted on October 1, 2019, and California’s CCPA and New York’s Privacy Act coming into effect on January 1, 2020.
Covered businesses are required to be up front and transparent in the event of a cyber-attack, and must demonstrate a comitment to resolve the issue lawfully. Observing the law this way can help to reclaim a positive standing and mitigate further damage.
In the event of a data breach, there are four legal implications enshrined in data protection laws across all jurisdictions. These are:
A company that has suffered a data breach is required to notify all affected individuals as soon as possible. In most cases the company must also notify their regulatory authority. Under the GDPR, the Information Commissioner’s Office (ICO) must be notified within 72 hours of the breach being discovered.
In the United States, the attorney general of the appropriate state must be informed of a data breach incident. Other regulators include; the the Federal Trade Commission (FTC), the Securities and Exchange Commission, the Federal Communications Commission (FCC), and the Consumer Financial Protection Bureau.
Scott Watnik, Litigation Partner at US law firm Wilk Auslander advises companies to
Immediately seek the advice of counsel to determine when and to whom notice of the attack needs to be given upon discovery of the attack,
There can be serious consequences for businesses that fail to report a data breach. Hotel group Marriott was fined $124 million by the ICO when a data breach occurred within rival company Starwood - which Marriott acquired in 2016 - affecting the records of some 30 million Europeans.
The huge fine was imposed because Marriott was two months late in reporting the breach in their system in November 2018. The breach was actually discovered in September 2018.
A company’s response to a data breach will directly influence its credibility in the eyes of the regulator. Therefore, having an effective response plan is key.
The company’s IT department should investigate all aspects of the breach, particularly the extent to which personal data has been accessed or compromised, as well as the source of the breach, if identifiable. IT staff should work under the direction of the company’s Data Privacy Officer (DPO) and pass up all relevant intelligence of the breach accordingly.
It is also important to work with the company’s data protection counsel, since the disclosure obligations are likely to vary, depending on the types of data that have been compromised.
Having “security incident response plan” in place is the best move, advises Watnik. The response plan should include the following measures:
Operations personnel to address any consumer information needs, including the setting up of consumer call centers if needed.
Experienced outside legal counsel to help navigate the legal landscape.
Public relations experts who can manage contacts with the press if and to the extent the hack is made public.
Insurance brokers and personnel to assist with providing notice to any insurance carriers, submit loss claim notices, and identify applicable policy benefits.
Extreme measures like shutting down all computer systems company wide for several days and effectively suspending all business operations in their entirety may need to be taken as well after an attack, …All employee passwords may have to be reset, and all systems may have to be backed up to preserve their current state for forensic investigation.
Since financial penalties are imposed by each regional jurisdiction, fines will vary greatly and are usually dependent on the severity of the breach, as well as the number of individuals affected and the nature of the compromised data.
The affected company will also be judged on its pre-emptive and response measures, and how quickly it notified affected individuals and the authorities of the incident.
The way in which a company demonstrates compliance with the law, having a response plan in place and notifying in a timely fashion can potentially help to reduce amount of fines and other costs resulting from a cyber-attack.
Having a security incident response team in place can reduce the cost of a cybersecurity breach by as much as US$14 per compromised record from the average per-capita cost of US$148, according to the 2018 Ponemon Study.
In general terms, legal action relating to a cyber-attack is brought when a covered business fails in its duties to:
provide timely notice of the breach, as required by the data protection laws concerned;
respond to the breach and endeavor to remedy or mitigate the damage caused;
implement reasonable data security measures
In some cases, depending on applicable regional laws, an affected company might also be subjected to private lawsuits brought by customers and shareholders.
5) ANTICIPATION OF LEGAL ISSUES
In order for businesses to protect themselves, Watnik suggests that all matters regarding cybersecurity should first be discussed at board level, concentrating on understanding the broader picture.
A useful resource is the United States Security and Exchange Commission’s 2018 guidance for public companies on cybersecurity disclosures (the “Guidance”). This document contains a good example of what should be the focus of discussions.
The Guidance advises that board members should know the following:
The nature and effectiveness of their cybersecurity system and how much has it been tested;
The cybersecurity policies & procedures to be followed;
How the company stores data;
The steps taken to test the cybersecurity system, and the sufficiency of the company’s current procedures;
The nature and coverage extent of the company’s cybersecurity insurance; and
How the company’s business practices and operations take the risk of cyber-attacks into account.
Another suggestion by Watnik is to form a cybersecurity board community, engaging experts to train employees, and putting go-to procedures in place, along with a communication plan, so there’s a referral point in the event of a data breach. Watnik said:
Finally, the leaders of the business should make sure that they have IT staff who regularly report to them on data protection efforts and vulnerabilities,
Conclusion: Always Be Prepared
We live in an age where the potency of cyber attacks is increasing, almost on a weekly basis. Destructive hackers are becoming more sophisticated in the way they break in and steal - or destroy information stored on devices across corporate networks and websites. Sadly, cyber-crime is a fact of life in today’s connected society.
Unfortunately, these facts do not provide affected companies with immunity from prosecution. And so, it is vital that businesses understand their legal obligations concerning data protection and data privacy, as well how to deal with the consequences of a data breach.
Careful and meticulous planning for the worst possibility, could mean the difference between major embarrassment, punitive fines and loss of face in the marketplace, …and minimizing the financial and operational impact of one of the commercial world’s greatest fears.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.