Driven by daily headlines about massive breaches of personal data, U.S. states have been increasing their adoption of cybersecurity laws since 2003. These laws require companies to notify regulators, users, or sometimes both, when personal data has been compromised. This month, Alabama became the last U.S. state to adopt such a law (the Alabama Data Breach Notification Act), coming on the heels of South Dakota, which passed its own legislation in March. Additionally, the European Union’s General Data Protection Regulation (“GDPR”) will go into effect on May 25 2018, creating additional obligations for many companies worldwide, including obligations to notify personal data breaches in certain circumstances both to data regulators and the individuals concerned. These changes in the field of data protection create new compliance requirements and litigation risks for companies. While data breaches seem to happen routinely, the implications of a hacking incident compromising personal data have grown more complex.
Governments are increasingly requiring commercial entities to maintain “reasonable security measures,” such as those implemented in Alabama. These security requirements range from general statements of intent to more detailed requirements. For instance, the cybersecurity regulation created by New York’s Department of Financial Services (“DFS”) sets forth more sophisticated rules for financial institutions and insurance companies. While complex, cybersecurity measures can also be beneficial for companies. Preventative procedures may reduce vulnerabilities that interrupt business, such as the 2017 ransomware attack which caused billions of dollars in damage, lost revenue, and remediation costs. Similarly, under the EU's GDPR, the obligation is to implement "appropriate technical and organizational measures" to ensure the security of the data.
Companies should review their cyber security protocol and assess their vulnerabilities as often as possible. Some attacks, such as ransomware, may become apparent quickly, but many other compromises remain undetected on a company’s network for months. By the time these attacks are discovered, companies may only have a narrow window of time to make difficult decisions. For instance, under the EU’s GDPR or New York’s DFS, the timeline for notifying the relevant authorities and/or the affected parties after a breach is 72 hours after discovery of the breach. This is usually not enough time to gain a sufficient understanding of the impacted systems or the data compromised. This is one of several reasons why businesses with valuable digital information should have practiced crisis-response plans in place.
Cybersecurity measures implemented in practical ways can help companies detect incidents earlier and assess whether an attack triggers a notification requirement. Companies should also consider undertaking a preliminary assessment of their cyber risks, with an eye towards protecting valuable data, IT infrastructure, and intellectual property. Quantifying the value of these assets helps businesses make informed decisions about how to allocate their cyber security resources. To do so will also enable businesses to be able to demonstrate compliance with the EU's GDPR and to co-operate with the regulators which are specific obligations under the regulation and for public companies in the U.S., with guidance from the Securities and Exchange Commission.
The high velocity and rapid evolution in cyber-attack methods challenge all companies to remain technologically equipped to respond to mounting threats. Similarly, changes in cyber security laws require companies with digital assets to remain abreast of their legal obligations. A comprehensive approach to cybersecurity can reduce data breach and business interruption risks to businesses and mitigate litigation risks that could arise from a lack of compliance. It will also enable board level supervision of the issues - not only a necessity under GDPR and many other data protection laws but also important to protect the value of the business and to take into account fiduciary responsibilities of boards.
FOR QUESTIONS OR MORE INFORMATION, PLEASE CONTACT: