Consumer Fraud

Cybersecurity conference discusses liability in the event of a data breach

data breach Cybersecurity conference discusses liability in the event of a data breachData breaches have gone from relatively unknown to a common happening in the U.S. While companies scramble to increase their cybersecurity procedures, they wonder what is considered to be “reasonable security,” and what their responsibilities are in providing adequate protection to their customers. Privacy attorney Dominque Shelton and many other cybersecurity experts recently gave recommendations to companies during a cyber-liability panel at Georgetown University Law Center’s cybersecurity conference.

Although hackers don’t play by the same rulebook, there are things companies can do to protect themselves. “It’s not the wild west. There is guidance out there. That being said, that’s not the most perfect world for companies to be in” since there is no consistency, Shelton cautioned. “That is the environment we’re in right now.”

Data breaches have sparked multiple consumer class actions, shareholder derivative suits and regulatory actions by agencies like the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC). Senior management and boards must actively protect personal data on a daily basis.

In order to best protect a company’s information from a data breach, the cyber-liability panel suggested those in charge of data security at companies sit down and discuss the following points:

Data Breaches are Common

High-profile data breaches are happening all the time, affecting retailers like Target, Home Depot and Neiman Marcus, banks like JPMorgan Chase & Co., and even health care companies like Anthem. As a result of these data breaches, class actions are forming left and right as disgruntled consumers demand stronger privacy measures and tighter security for their personal information.

Shelton noted that any company operating a website, a mobile app, or even advertising through social media is especially vulnerable to data breaches. Some consumers are even bringing putative class actions under the 1988 Video Privacy Protection Act, which puts companies that run videos on their websites or utilize mobile apps at risk of a data breach, Shelton said. In 2014, there were 12 class action suits of this kind filed.

Big Data Issues

Shelton explained that while big data and cookies are not specifically identified in any data breach notification statute in the U.S., any company that fails to secure data obtained through these means is open to liability problems. According to Shelton, as a result of failing to protect big data, which is protected under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and other statutes, approximately 208 putative class actions have been filed in the past 19 years.

Hilary Hageman, co-panelist and vice president and deputy general counsel at CACI International Inc., believes federal contractors have an especially difficult role in liability exposure considering they deal with such sensitive information regularly. However, they still must face a “whole patchwork or panoply of regulations,” to protect that information in most cases. “Making sure that we comply is extremely daunting,” Hageman said.

Limiting Exposure

Hageman listed several ways for companies to prevent exposure of private consumer information, such as through the U.S. Sentencing Guidelines. Hageman describes the guidelines as a form of cyber “hygiene” measures that “don’t cost a lot,” such as:

  • Ensuring senior executives take cybersecurity seriously;
  • Training employees in cybersecurity;
  • Monitoring technology periodically for unusual changes;
  • Auditing internally and externally to make sure safeguards and procedures are working correctly.

The Boardroom

Hageman listed the following recommendations for a company’s board:

  • Ensure at least one director is “very IT savvy;”
  • Discuss IT security issues and ideas regularly;
  • Act on cybersecurity issues as soon as they are brought to attention;
  • Consider creating a special committee on the board that specializes in cybersecurity and protecting data.

“We will be asking these exact questions about companies’ internal procedures,” attorney and co-panelist Christopher Dore said. “Showing that you did everything in your power is going to be persuasive either to us or to the court.”

Source: Bloomberg BNA