Originally published in the May issue of Value Chain.
The recent global cyber-attack emphasizes the growing risk of cyberattacks around the world and the issues facing the risk and resilience community. Not only do cyber-attacks threaten businesses and organizations on a daily basis but the addition of ransomware to the mix underlies the threats facing organizations, businesses and governments on a worldwide basis. However, companies and organizations need to realize that it’s not just about cyber-security vulnerabilities they should be concerned with but also data privacy issues and IoT matters as well.
Data privacy, though not always about cyber-security, involves cybersecurity when personal data is hacked. IoT also concerns itself with cyber-security when it is hacked, allowing the unauthorized access to data or unauthorized use of products connected by IoT. In fact, companies face unheard of liabilities now due to IoT breaches. It is now time that the risk management industry as well as legal community realize the impact that cyber-attacks have not only upon data privacy requirements but IoT based products also.
1. Cyber-Security Concerns
As cyber-security has been placed on the front burner due to the global hack as well as recent credit card hacks, etc., more and more emphasis has been placed on data protection by various authorities. For instance, the European Union or EU has passed the General Data Protection Regulation (GDPR) which comes into effect in 2018. Many Asian jurisdictions, such as Korea, Singapore and Hong Kong have also updated their data privacy laws and regulations. The US however, has left cyber-security standards for data protection less clear as common law negligence, HIPAA, Gramm-Leach -Bliley and FTC regulations are all used in a haphazard way to safeguard personal data and protect people from cyber-attacks.
Unlike the US with its many fractured laws, the GDPR will be used as the definitive source of data privacy law in the EU. The GDPR will set out specific methods that companies will be required to use to secure personal data and requires companies to evaluate how much cyber security they need to safeguard such data. In essence, companies falling under the jurisdiction of the GDPR as well as other jurisdictions will have to carefully consider what data should be protected and even collected and what reasonable cyber-security efforts should be undertaken to protect data. Companies will also have to reassess their cyber-security and data protection efforts on a regular basis.
2. Data Privacy Concerns
It has become obvious to many, that despite best efforts. Companies may still face a hack and suffer a breach. Personal data may be still stolen. Some jurisdictions have data privacy laws in place that mandate the disclosure of the breach to authorities. Companies must also consider if and when to report the breach and/or unauthorized access of personal data to investors and even the media or public.
Under the GDPR, companies that have suffered a hack, must report a personal data breach if the breach is likely to have resulted in a risk to the rights and freedoms of natural persons. Personal notification may be necessary too though it can be avoided if the company can show that it took measures (such as encryption) to prevent the personal data from being read by unauthorized persons. In the US, no uniform federal law or statute mandates or requires a notification to authorities of a data breach but a number of states have data notification statutes that cover certain kinds of data such as social security numbers and credit card information, etc.
The following summarizes the elements common to these statues and some of the variations from state to state, and emphasizes the need for comprehensive company-wide data protection and management programs.
Personal Information: companies with records of consumers’ identifying information must take steps to safeguard the information or be exposed to liability.
FL, CA, CT, DE, IL, LA, MN, MT, NE, NJ, RI, TN, TX, WA: first name or initial + last name + Social Security or Driver’s License or State ID or Bank Account/Credit/Debit Card Number with access code
AK: adds medical information
GA, ME: any information that puts individual at risk for ID theft
ND: adds Employer ID, DOB, mother’s maiden name, digital signature
NY: Any identifying information together with ID/Credit Card number and access code
HI, MA, WI: include written as well as electronic data
Breach of the Security System: any suspected unauthorized acquisition of compromising personal data mandates investigation and may require notification of affected individuals.
CA, DC and 19 states: “unlawful and unauthorized acquisition” of even a small amount of data that “materially compromises, the security, confidentiality, or integrity of personal information.”
AZ, ID, NE, OR, TN, FL: any breach that “materially” compromises personal info
CT, IN, ND: any “unauthorized access to” or “acquisition of” computerized data
LA, HI, MA, MT, NY, NC, OH, PA, WY: “unauthorized acquisition” of data that “creates a substantial risk of identity theft”
NY: lists specific factors to determine if personal info has been acquired by unauthorized persons, such as a lost computer
Investigating the Data Breach: the company must determine if a breach has occurred.
FL, LA, AK, OR: Business must document “appropriate” investigation to “reasonably” determine that no breach occurred; Documents must be maintained for 5 years; Failure to document or to maintain documentation: $50,000
Ten states: require a “reasonable investigation” to determine misuse of personal info
Providing Notice: if the company cannot reasonably determine that no harm has occurred, it must notify the affected individuals.
FL, similar in 22 states without specific time frame: “notification shall be made without delay, consistent with the legitimate needs of law enforcement . . . . [M]ust be made no later than 45 days following the determination of the breach”
28 states: notice in “the most expedient time possible,” and “without unreasonable delay”
Penalties: for data breach or failure to comply with Data Breach Statute.
FL: Failure to provide required notice: $1,000/day for 30 days, $500,000 if no notice in 180 days
Other states: penalties range from $500 (ME) to $750,000 (MI)
CA, HI, NH, NC, WA, DC: residents have private right of action
21 states: Attorney General may sue for damages and injunctive relief
Past Representative Enforcement and Litigation of Data Breach Statutes:
Florida Attorney General investigated Certegy for inadequacy of notice to 2.3 million people, after records stolen by former employee and sold to data brokers
Multistate civil investigation into breach at TJX Companies and failure to protect consumers’ personal ID in credit/debit card sales; numerous class action and individual suits nationwide
Federal class action lawsuit in CA against Cardsystems, Merrick Bank, Visa and Mastercard for negligence and failure to notify consumers following data breach
3. IoT Issues and Concerns
In the US, regulators have noted security concerns that consumers face when using IoT devices. Such security concerns include unauthorized access and misuse of personal data, safety risk s and even facilitating cyber-attacks on other systems. This is because IoT devices connect to the internet via sensors which send environmental and activity information to data storage centers that in turn allow for and provide analytical feedback and control. Basically, IoT devices are consumer oriented or industrial oriented devices which have been turned into smart devices allowing for information gathering and management of such devices via software, etc. Consider this- even cars are now IoT devices.
Though the majority of people have a favorable impression of IoT devices, manufacturers of such products are not discussing the risks inherent in such technology. It has recently been estimated that 70% or all IoT devices subject to attack. Though the number of devices that could be hacked is astounding, the IT industry is not warning society in general about the potential dangers of using such devices. To make matters worse, those involved in the risk management industry are not raising the alarm that they should, whether for lack of understanding or not, as IoT dangers are about to collide with the global desire for the protection and safeguarding of personal data.
It is therefore urgent that society as well as corporations and organizations involved with data privacy as well as the IoT have broad based discussions on the benefits and risks of IoT devices. Risk managers, CIOs, software engineers, in-house counsel and BOD members all must take the data privacy risks inherent in IoT technologies seriously and must take steps to minimize the risks posed by cyber-attacks and the misuse of data. Though society in general may benefit from IoT applications, it must also consider the issues posed by such devices and weigh the benefits against the risks.
A. Prevention of data breaches and conducting a “reasonable” investigation of suspected breaches is best done by professional digital forensics experts or Information Technology (IT) professionals. In-house Legal and IT departments should work together to create a data map to identify the locations of all company data, so as to identify lost or compromised information after a suspected breach. Importantly, companies should prepare their IT systems as a source of evidence to support effective handling of future incidents.
B. Cyber-Attacks and resulting data breaches are not just a problem for the risk management industry but the legal community too. The loss of personal data. IP theft and other data loss associated with cyber-risks, such as the IoT issue can result in investigations, audits, lawsuits, class action litigation as well as reputational harm and brand risk issues. The fallout from a cyber-attack can be enormous. Therefore, the legal community in general and in-house lawyers in particular must team up with the IT folks and risk management community to adequately address all of the issues organizations face from the intersection of data privacy, cyber-security and the IoT.
C. With the advent of data privacy laws and regulations, companies must think in terms of not only cyber-security, but data privacy and IoT issues too. Reporting obligations, data encryption, cyber-security processes, and IoT applications all must be addressed as a whole. The risk management industry as well as the legal community must take action to come to grips with the magnitude of threats these issues present.
Bryan Hopkins is a Special Counsel to Lee & Ko in Seoul, Korea. Formal law professor at Sejong University and former General Counsel at Samsung Electronics America. He has extensive experience in management of complex commercial litigation, compliance, eDiscovery and risk management.