This is the third in a series of four articles by Strauss Troy about cybersecurity preparedness and response. See Part I here, and Part II here.
A cybersecurity or data breach is a security violation that exposes protected or confidential information to an unauthorized individual or group. As more and more jobs operate in a connected (and sometimes remote) environment, the opportunity for data breaches increases, through both technology vulnerabilities and user behavior.
A company’s preparation and response to a data breach can affect both civil and regulatory liability, but data security efforts and disclosure are key to mitigating that liability.
Regulatory Liability
In general, to avoid regulatory liability, companies must identify and disclose the breach to affected people within a certain amount of time. A lack of broad federal regulation leaves many things up to state laws, regulations, and guidance from Attorneys General. Ohio requires notification within 45 days. Kentucky law requires notification in the “most expedient time possible and without unreasonable delay.” Indiana requires notification “without unreasonable delay.” Limited federal regulation of data breaches includes HIPAA, FTC, and the SEC (public utility companies).
Civil Liability
Civil lawsuits have resulted from data breaches, and companies have a heightened risk if they have lax data security and if they don’t respond quickly to mitigate the damage. Civil actions have been brought by customers or individuals whose personal information has been exposed and by shareholders for alleged damage to the company as a result of lax or poor management.
The law and rules surrounding data breach cases are still in flux and there are a myriad of legal issues involved in these cases. One of the common issues is whether the individual whose personal information has been exposed suffered an “injury in fact.” This means the harm must be real and concrete, as well as actual and imminent. In some cases, an alleged future risk of identity theft suffices even without proof that the personal information has been misused. The alleged harm must also be “fairly traceable” to the breach.
Liability for Third Party Breaches
To complicate things, regulators are now spending more time on third party vendor oversight. Not only do you need to worry about your customers’ data, but possibly your customers’ customers’ data, as well. Companies need to take measures to ensure they don’t breach customers’ data and that vendors don’t breach other companies’ data. Either way, you’re in the crosshairs.
Insurance Coverage for Breaches
Cybersecurity breaches can cost companies in both liability and business downtime. General Commercial Liability policies are broad insurance policies that protects businesses from injury, property damage, and other general business risks. However, these policies don’t always cover cybersecurity liability.
For the most protection, companies often opt for cyber policies. These insurance policies provide businesses with coverage options to help protect them from data breaches and other cyber security issues. Cyber policies help protect your company from network interruption or security failures, and privacy and media liability. But, cyber policies are an emerging insurance product and they change regularly. You need to speak with someone familiar with the insurance policies and language used before you purchase a policy.
In Part VI of this series on cybersecurity, we will discuss the direct and indirect costs of a data breach to your company. As cybersecurity breaches—and the damage they inflict to businesses—continue to become more commonplace, the cybersecurity services of the attorneys at Strauss Troy can help you prepare for and respond to potential threats.