Practitioner’s Corner is a monthly focus on topics of interest to in-house counsel in the implementation of their privacy programs.
You were just notified by law enforcement that your company’s files were found on a hacker forum. Social Security numbers and other sensitive information have been exposed. You know that you might have statutory and contractual responsibilities to remediate and make notifications, potentially as soon as within 24 hours. If you were in this situation, would you be prepared to act?
In our new normal of remote working, the likelihood of a breach is higher and the difficulty of coordinating incident response is greater. In this Practitioner’s Corner, we will explore the reasons why data security and incident response preparedness warrant your time and attention, and why you—as your company’s in-house lawyer—should proactively engage IT.
Reasonable Data Security Controls Are Often a Legal Requirement
The United States does not have a uniform national requirement to apply security controls to all personal information, but sector-specific federal and state statutes require security controls for many data types. The following is a small sample of those laws:
- HIPAA requires a covered entity to establish comprehensive security controls for protected health information;
- GLBA requires a financial institution to develop a security plan that reflects the size and sophistication of the entity;
- Massachusetts requires a company with information about Massachusetts residents to develop a comprehensive written information security program (note that there are at least seven states other than Massachusetts that require proactive security measures);
- New York’s SHIELD Act requires covered businesses to implement and maintain reasonable administrative, technical, and physical safeguards for personal information covered by the state’s data breach statute;
- COPPA requires operators of websites and online services directed to children to reasonably safeguard that personal information; and
- Illinois’s Biometric Information Privacy Act requires a company to store, transmit, and protect from disclosure biometric identifiers and information using a reasonable standard of care within the company’s industry.
Outside of the United States, laws like the GDPR include security as an explicit requirement applicable to all personal information.
In cases where a statute does not impose security requirements, the Federal Trade Commission (FTC) may be empowered to bring a claim for failure to implement reasonable security controls based on its deception and unfairness authority.
Do not forget that data security requirements can be imposed by contract as well. Companies processing payment card data very likely will be subject to the Payment Card Industry Data Security Standard (PCI-DSS), and government contractors may be subject to requirements designed to fulfill agencies’ public-sector security requirements.
A failure to implement security controls may be a violation of the law, but it also increases the risk of a data breach that would have its own legal, financial, and reputational consequences. All 50 U.S. states, the District of Columbia, and some U.S. federal laws require companies to notify individuals and regulators of a data breach. The GDPR likewise requires governmental notification on an extremely tight timeframe of 72 hours after becoming aware of the incident.
These are a handful of examples. Increasingly, lawmakers are focused on mitigating security vulnerabilities by requiring security controls and increasing the penalties for data breaches. For example, the California Consumer Privacy Act (CCPA) creates a private right of action for consumers affected by a data breach if the business failed to implement reasonable security and that failure caused the breach.
Failures to Implement Reasonable Security Can Trigger Investigations and Lawsuits
When security incidents or vulnerabilities come to light through news reports, published research, whistleblowers, data breach notifications, or other sources, they attract investigations and litigation.
- The FTC very recently settled a complaint with an IoT device maker, alleging that it deceived consumers by claiming it used reasonable security when, in fact, its smart lock product had vulnerabilities such as unencrypted Bluetooth connections. While the FTC did not seek a monetary penalty, its proposed settlement would require the company to develop a comprehensive data security program, regularly use independent third parties to assess its security, and make regular reports to the FTC.
- A hotel chain was sued by a putative class in the wake of a data breach that compromised the personal information of 10.6 million guests. Plaintiffs are seeking an award of damages and a mandatory injunction that would require the hotel chain to implement “improved security procedures and measures.”
- About two months following its public disclosure of a security incident that resulted in the disclosure of health records, a network of behavioral health facilities was sued by a putative class seeking injunctive, equitable, and monetary relief as well as an order requiring the company to implement a comprehensive data security program.
- On April 3, 2020, a popular video communications platform was sued by a putative class in California shortly after reports that attackers were able to exploit flaws in its software to, among other things, hijack meetings. As in the examples above, plaintiffs seek monetary and injunctive relief.
While the fact that security incidents frequently trigger lawsuits is troubling, it is also concerning that plaintiffs do not limit themselves to causes of action and remedies that are directly related to security. In the hotel chain litigation, for example, the plaintiffs allege that the incident created causes of action under common law theories of negligence, breach of implied contract, and unjust enrichment, as well as a breach of Nevada’s Consumer Fraud Act.
While class plaintiffs have had mixed success overcoming challenges to their ability to bring these lawsuits due to lack of standing and causation, security incidents continue to be attractive targets of class litigation using creative legal theories.
I understand this is a serious problem. How should I prepare?
Your organization may have formal policies that describe its security controls and incident response procedures. Those are an excellent starting point. If they need to be updated, start with a security risk assessment to determine whether there are any gaps between the policies and your organization’s legal and business requirements.
If you do not have those policies, this is the perfect time to start developing them. Before you do anything, you may want to familiarize yourself with the myriad well-developed standards, guidance documents, and other resources that are readily available free of charge. For example the United States National Institute of Standards and Technology (NIST) publishes the Cybersecurity Framework, an extremely detailed document that walks companies through the process of implementing a security program, and Special Publication 800-53, which is a standard set of security controls for the federal government but which can be adapted to any private-sector organization. For small companies, it may be sufficient to begin by implementing security controls that address the FTC’s Start with Security guide or the CIS Top Twenty.
- 1. Once you are ready to begin, start by building your team
You will need a team to update or implement security controls because creating effective policies will require executive buy-in and advice and cooperation from your organization’s IT professionals.
But wait, shouldn’t IT be leading an effort to update or implement security controls? Consider that in-house counsel is likely in a better position to take the lead because in-house counsel is often in a good position to work with executives and IT. In-house counsel can achieve organization-wide buy-in with the protection of attorney-client privilege. Moreover, lawyers need to ensure that the company’s controls match applicable statutory requirements or the exercise may be for naught.
- 2. Perform a risk assessment
Before you can write security controls, you will need to understand what security controls you have in place and how they compare to your target requirements. You also need to know what is feasible for your organization to implement based on time, budget, and other relevant contextual factors. For example, a small business that uses Shopify as a platform and that has no brick-and-mortar retail stores should not invest time in researching CCTV cameras, even if security standards call for physical security controls.
Picking the right target requirements does not mean you need to implement the strongest security control for every asset you need to protect. There is no one set of reasonable security controls that addresses every potential security threat, but there are ways to systematically assess whether security controls are appropriate.
- 3. Draft a written information security program and implement it
When you implement the program, do not forget that security is an ongoing obligation. For example, conducting periodic risk assessments, keeping records of your compliance efforts, and training your workforce require constant maintenance and vigilance.
Data security requires an investment of time and resource. However, the cost of these investments will be significantly less than the costs of failure to implement security controls. A breach of your legal obligations that results in a data breach will not only require notifications to regulators and consumers but also can increase the risk of complex litigation.