Cybersecurity and Data Privacy Overview
The importance of securing private data has never been greater. The world economy increasingly revolves around data, and for this reason, information has become increasingly likely to be the target of theft and malfeasance. The California Attorney General's Office estimates that in 2015, nearly three out of five Californians were victims of a data breach.[1]
Meanwhile, in today's digital age, more information is created every two days than was created from the dawn of human civilization until 2003.[2] The digital universe is growing exponentially and will multiply approximately 10-fold between 2013 and 2020--from 4.4. trillion gigabytes to 44 trillion gigabytes.[3] And the lessons of so-called "big data" suggest that as the amount of information in the world increases, so does its importance.
Therefore, in order for a company to have long-term viability, it must take steps to protect its data. If it does not, it risks significant financial and reputational harm. Target's 2013 data breach, for example, affected approximately 110 million of its customers and resulted in a loss of nearly 50% of profits for its 2013 crucial holiday quarter.[4]
Knowing where to start in protecting its data can be challenging for a company. In this way, local and sectoral laws can be instructive on the basic precautions a company should take to implement appropriate technical, administrative, and physical safeguards for its data. While such safeguards will not necessarily prevent a breach, they will make an entity less vulnerable to the possibility of breach, and often protect it from negative consequences if a breach does occur. Below are some basic guidelines on where to begin the data privacy compliance process using regional and sectoral laws as a guide.
Governing Law
A company that collects and retains personal information (which virtually all businesses now do) has a legal obligation to adopt appropriate security measures to protect such information. Generally, the laws and regulations governing cybersecurity and data privacy seek to protect Personally Identifiable Information (PII), which includes: names, social security numbers, dates of birth, mother's maiden names, financial account numbers, email addresses, driver's license numbers, passport numbers, and personal health information. Out of self-interest, most companies also seek to protect proprietary and other kinds of confidential information. Meanwhile, state and federal agencies have increasingly expanded their enforcement of cyber security and data privacy regulations over the last few years. This increased enforcement exposes companies to greater scrutiny of their data privacy practices and increased compliance costs.
In the United States, there is no one unifying federal law that regulates cybersecurity and data privacy. Instead, myriad federal and state laws and regulations govern how companies collect and use personal data. For companies whose business reach extends into multiple states, it becomes extremely challenging to ensure compliance with all applicable state cybersecurity and data privacy laws.
California leads the nation in the area of cybersecurity and data privacy legislation. State law requires businesses that "own, license, or maintain personal information about Californians to provide reasonable security for that information."[5] According to the California Attorney General's Office, "reasonable security" measures include adopting the 20 controls in the Center for Internet Security's Critical Security Controls. [6] These controls are, for the most part, written in plain English and fairly easy to follow. They can help a company assess how compliant its security measures are, and provide concrete next steps for a company to take to enhance its cybersecurity.
California law also sets forth extensive requirements that a business must follow in cases where its precautionary measures fail and a breach occurs. Under California's Data Breach Notification Law, companies must notify all California residents of any breach of unencrypted personal information. [7] Under the law, "encrypted" means "rendered unusable, unreadable, or indecipherable to an unauthorized person."[8]
In addition to various state laws, companies must follow any data privacy laws that regulate their particular industry or area of specialty. Most industries have their own sets of cybersecurity and data privacy regulations. For example, the federal Financial Services Modernization Act[9] (Gramm-Leach Bliley Act (GLBA) regulates the financial industry, including securities firms, insurance companies, and other businesses that provide financial services and products. The federal Health Insurance Portability and Accountability Act[10] (HIPAA) regulates how health care providers and their business associates collect and use protected health information. For example, a self-insured financial services firm will likely encounter HIPAA and GLBA compliance issues, but may not be equally affected by privacy marketing laws.[11]
Finally, any entity that seeks to transfer data from foreign countries to the US has additional compliance obligations to consider. [12] Most foreign countries have promulgated their own cybersecurity and data privacy laws and regulations, including data breach laws, restrictions on data transfers, and regulations for a right to be forgotten. Navigating these various international regulations can be extremely complicated and burdensome. Therefore, it is vital for a US-based company to use care whenever it receives data that originated outside the US. There may likely be extensive restrictions on how such data can be used, if at all, without certain mechanisms in place.
Consequences of a Data Breach
In the event of a breach of personal data, a company potentially faces significant legal, reputational, and business harm. Governmental agencies can levy fines and sanctions against companies whose ineffectual security practices failed to safeguard personal information. Less commonly, people affected by a data breach can sue individually or as a class for damages, including recovery of their costs and attorney's fees. Third parties affected by a data breach can bring claims to recover expenses incurred as a result of the breach.
In addition to fines and monetary damages, a company's reputation can be irreparably harmed in the event of a breach of personal data, regardless of the cause. Also, a data breach may have a significant financial impact beyond the legal costs, including a loss of revenue through the attrition of clients and customers and the potentially extensive cost of responding to and remediating the breach. According to the Ponemon Institute, data breaches cost companies an average of $217 per compromised record --of which $143 pertains to indirect costs and $74 represents the direct costs incurred to resolve the data breach.[13] Many data breaches involve thousands or millions of compromised records.
Best Cybersecurity and Data Privacy Practices
One of the most effective ways for a company to protect itself from the significant costs of a data breach is to engage in a data security audit that will give it a customized analysis of where its information security system should be fortified, and what particular privacy guidelines it must follow.
For companies that collect or maintain personal information, adopting the 20 controls in the Center for Internet Security's Critical Security Controls is another good way to start.[14]
Each industry will have its own best practices and below are a few high-level ones for companies to consider, but this is not an exhaustive list by any means:
Use encryption to protect personal information and document how the encryption methods used are in line with current cybersecurity industry standards.
Use strong encryption to protect personal information on laptops, portable devices, and possibly even on desktops.
Secure paper and physical media from possible theft and inadvertent disclosure.
Use complex passwords. Password management software is a crucial modern tool unless an entity has a single user sign on.
Develop a data breach incident response plan and team.
Develop and implement written cybersecurity and data privacy policies and procedures and routinely educate and train employees on these practices and policies.
For companies involved with the international transfer of personal data, follow international data protection requirements and observe cross-border data transfer restrictions.
Consider acquiring cybersecurity insurance coverage.
Cybersecurity and data privacy is a nascent and emerging area of the law, with new rules and regulations continually being enacted on the state, federal, and international levels. Implementing a comprehensive cybersecurity and data privacy plan and updating it annually to comply with the ever-evolving legal compliance landscape is essential for a company to thrive and succeed in today's digital economy. The Maier Law Group can help draft such a plan or provide guidance for companies to do so themselves.
[1] California Data Breach Report February 2016, found at https://oag.ca.gov/breachreport2016.
[2] Comments from Eric Schmidt of Google at the 2010 Techonomy conference in Lake Tahoe. See MG Siegler, Eric Schmidt: Every 2 Days We Create As Much Information As We Did Up To 2003, TechCrunch (August 4, 2014) found at https://techcrunch.com/2010/08/04/schmidt-data/ .
[3] EMC Corporation's Digitial Universe Study: The Digital Universe of Opportunities: Rich Data and Increasing Value of the Internet of Things
[4] Maggie McGrath, Target Profit Falls 46% on Credit Card Breach and the Hits Could Keep on Coming, Forbes (February 26, 2014)
[5] Cal. Civ. Code ¤ 1798.81.5. See also Maier Law Group's webinar discussing this law and the Deputy Attorney General's opinion that virtually all businesses "own, license, or maintain" personal information.
[6] California Data Breach Report February 2016, https://oag.ca.gov/breachreport2016 (noting that "[t]he failure to implement all the [Center for Internet Security's Critical Security] Controls that apply to an organization's environment constitutes a lack of reasonable security."
[7] Cal. Civ. Code ¤ 1798.82(a)
[8] Id. ¤ 1798.82(i)(4)
[9] 15 U.S.C. ¤¤ 6801-6827.
[10] 42 U.S.C. ¤¤ 1301 et seq.
[11] For a discussion about which data privacy laws are most relevant to the life sciences sector and why, see the Maier Law Group's blog post on data privacy for life sciences companies.
[12] A "transfer" for these purposes may mean simply mean the act of downloading in the US a file that was created in the EU.
[13] 2015 Cost of Data Breach Study: United States Ponemon Institute, May 2015, found at
http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&htmlfid=SEW03055USEN
[14] Id.
DISCLAIMER
This checklist has been prepared by Maier Law Group for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have any questions about a particular matter, please contact Maier Law Group at (415) 737-5317 or info@maierlawgroup.com.