Old laws and a lack of regulation threaten to drastically change the legal landscape
Once the sole province of computer experts and thrillers at the multiplex, cybersecurity is now a fact of daily life for most individuals and companies. It has changed the way we protect our personal information, the way we think about privacy, and the relationship between law and technology. Lawmakers, attorneys, and the courts are all sailing in uncharted waters as they muddle through antiquated laws, unclear regulations, and digital threats of ever-increasing ferocity and sophistication.
Perhaps the most challenging element in cybersecurity law is data. It passes through many different hands – creator, owner, holder, processor – and the burden of responsibility in the event of a breach is unclear. Government agencies such as the Federal Trade Commission (FTC) have been slow to establish clear and consistent regulation yet dole out punishment – with sometimes unclear standards – for parties they deem at fault for a particular security issue.
Legal questions about cybersecurity
Among the many questions that the legal community faces around cybersecurity, one of the largest pertains to civil liability in the event of a data breach.
Third-party service providers such as media, telecommunications, and technology companies, possess an extraordinary amount of personal information. Every time you text a friend, like a photo on Facebook, or check your bank balance while waiting in line, you generate data for the companies that provide these services. Whereas in generations past data existed only in paper form and in one place, today it is as mobile as you are, living on multiple interconnected devices and in the cloud and accessible anywhere, at any time.
This creates a situation where cyber criminals now have multiple points to attack in order to obtain personal data. And the liability for companies involved in such attacks is unclear. Whether data was stolen by sophisticated malware or lost when an overworked tech left a flash drive on the subway, until an actual crime takes place that involves it, an individual may not have much ability to hold the companies involved liable.
This grey area has not stopped a slew of class action lawsuits which posit that people whose data are compromised from a security breach are at risk for harm that may (or may not) occur in the future. The argument is that the companies that allowed the breach to happen should have to pay for their negligence, whether or not it leads to the data actually being used to cause tangible harm. Much of this murkiness centers around Article III of the U.S. Constitution, which says that plaintiffs can only move forward with a case in court if they suffered direct harm from a crime. Problematically, it’s difficult to tie direct harm to a specific breach and it may be some time before stolen data is sold and then used – say, for purposes of identity theft – via the dark web.
Split in the courts
Muddying the waters further is a growing split in opinion on this issue among various Federal Courts of Appeals across the country. Some maintain that the threat from the breach itself is sufficient to warrant legal action and liability, while others take the position that this in and of itself does not give a plaintiff standing.
- The Second, Fourth, and Eighth Circuits have stood firm and argued that, in the absence of a crime such as fraud or identity theft, a plaintiff does not have standing to sue an organization simply because their data was compromised.
- The Third, Sixth, Seventh, Ninth, Eleventh, and D.C. Circuits have left a bit more space for legal action and said that the implied risk involved with a breach is enough to allow plaintiffs to proceed with their cases.
The Supreme Court has yet to weigh in definitively. Until that happens, plaintiffs and defendants will likely each seek out the friendliest circuit to their cause.
All of this legal wrangling is due in large part to a lack of direction provided by government agencies, particularly the FTC. To date, the agency has not issued detailed regulations that would clarify the requirements that companies must live up to in order to protect data. The business community therefore finds itself confused about the FTC’s enforcement, never quite sure who will be punished and why.
That situation may soon change. The advent of the General Data Protection Regulation (GDPR) in Europe is likely to affect policy in the U.S., and other regulators, such as the Division of Enforcement’s Cyber Unit and the Securities and Exchange Commission have stepped in to fill the gaps. In addition, New York’s first-in-the-nation, comprehensive cybersecurity law, 23 NYCRR Part 500, is expected to serve as a model for other states and perhaps the federal government.
What organizations can do to protect data and avoid liability
Although the greater legal landscape is out of your hands, there are proactive measures you can take to ensure the data you are responsible for is as safe as possible.
- Encrypt everything. Whether it’s your own network or a third-party provider, it is your responsibility to encrypt data as it passes through every step of its journey through your business. This will mean taking a good hard look at your own processes as well as those of your vendors. If the latter aren’t stepping up to do their part, it may be time to consider leaving them for a vendor who will.
- Train your team. It’s true that external cybersecurity is of paramount importance, but the majority of potential issues will come from inside your own organization. Misplaced drives, accidentally-deleted records, forgotten passwords, and the like make up 4 percent of all security concerns.
- Use appropriate technology, including an enterprise-grade, well-respected firewall along with a comprehensive suite of monitoring and protection measures.
- Regularly audit your cybersecurity measures. Comprehensive audit trails not only mitigate risk and spot weaknesses, they also provide definitive proof that your organization did everything (within reason) to safeguard data. This is a key element of avoiding liability.
Choosing the right security partner to lead the charge can take a significant burden off of your organization – and allow your business to feel confident that it is following cybersecurity best practices.