Data Breach! Who’s Liable? What Next? (A Tech Law Reader)

“In case you haven’t heard, the days of having no obligation to notify consumers of a data breach or loss that involves only email addresses may have ended. This should be a major wakeup call for every CIO…”

Your company’s data is in the cloud – including vital employee, investor, and customer information – and so when it comes to data breaches, you don’t want to keep your head in the clouds, too. And so, from law firms on JD Supra, a collection of recent articles and updates on Data Breaches – what the law says today; a look at potential impending legislation; and practical tips on what to do when your company experiences a breach. Need to know:

Breach Notification: Time for a Wake Up Call:

An excellent overview of the issue from Fox Rothschild: “The scope of information that requires public disclosure in the event of a data breach is growing exponentially. For example, an email address that is verified as associated with a particular business is infinitely more valuable to phishing scammers than an email address and a guess. CIOs now have the unenviable task of discussing a broad range of data losses with legal, marketing and risk assessment professionals…” Read entire update»

Practical Steps in Responding to a Data Breach

By attorney Nick Akerman of Dorsey & Whitney: “”…it is critical your company be investigative-ready before the issue arises. Investigative-ready means selecting in advance a person or firm who will conduct the investigation of a company’s computer network and equipment. That computer investigator should be forensically trained and experienced in testifying in court and have credibility with the government agencies the company may ultimately have to convince that it acted properly and reasonably, particularly if it is determined that there is no factual basis to conclude that a data breach occurred.” Read entire advisory»

A Flurry of Federal Data Security and Data Breach Notification Bills Introduced Into Congress:

From the International Lawyers Network: “Recent high profile data breaches and increased attention to the protection of consumers’ personal information has intensified the momentum towards enactment of a federal data security and data breach notification law. Currently 46 states and the District of Columbia have enacted data breach notifications with drastically different requirements and policies. Within the last few months, Congress has been inundated with national data security bills outlining an organization’s obligations when it suffers a data breach. Unfortunately, the proposed federal bills would, in many instances, further complicate an entity’s obligations upon a breach…” Read entire update»

Advertising Law Update – August, 2011

From law firm Manatt, an update on the Data Security Act of 2011, recently introduced in Congress: “Those who fail to comply could be fined, ordered to conduct corrective measures, or banned from working in their respective industries. If enacted, the law would preempt state data security and breach notification laws. The Federal Trade Commission would enforce the law, which explicitly prohibits private suits…” Read entire update»

Overview of Proposed Federal Data Privacy Legislation for 2011

From technology attorneys Scott & Scott: “”Whether any of these become law by the end of this year’s session is not clear. However, the 48-hour breach-notification requirement proposed by Rep. Bono Mack seems to be generally unworkable in practice, making the requirement unlikely to be a component of any enacted law. What is clear, however, is that with recent, highly publicized and scrutinized data breaches at Lockheed Martin and Sony, greater-than-average political will exists in Congress to approve some form of federal data privacy and security legislation this year.” Read entire update»

[Also from Scott & Scott, see: Data Privacy and Security in the Cloud]

Business Leaders Must Address Cybersecurity Risk

From Jackson Walker: “From a regulatory perspective, federal and state laws create obligations on how companies must protect data and maintain cybersecurity. Under federal law, certain industries have heightened obligations as a result of laws such as HIPAA and Graham-Leach-Bliley. In addition, the federal securities laws, including Sarbanes–Oxley, or SOX, require that corporate leadership maintain adequate controls over their systems which could be implicated upon a cybersecurity breach. Finally, boards of directors of all companies have fiduciary duties to their companies, such as the duty of care, resulting in individual exposure for corporate leadership upon the occurrence of a loss caused by a cybersecurity breach. While this article is focused on the duties of directors, recent Delaware cases have found officers generally have the same duties as directors…” Read entire update»

California Legislature to Clarify, Expand Data Breach Notice Requirements:

A California update from attorney Christine Roberts at Mullen & Henzel: “The new law also slightly expands notice duties, by requiring that an electronic copy of the breach notification be sent to the Attorney General in each instance where a single breach affects more than 500 California residents. Additionally, it requires those making use of ‘substitute’ notification to also notify the Office of Privacy Protection within the State and Consumer Services Agency (state agencies must instead notify the Office of Information Security within the California Technology Agency). Substitute notice may be provided upon demonstrating that the cost of providing notice would exceed $250,000, or where more than 500,000 individuals’ data is affected…” Read entire update»

Massachusetts Attorney General Says You Must Practice What You Preach

From the International Lawyers Network: “In the first public settlement of its kind related to violations of the new Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 C.M.R. 17.00, Belmont Savings Bank has entered into a settlement with the Massachusetts Attorney General following a data breach in which an unencrypted backup tape containing the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents was lost after a Belmont employee failed to follow the bank’s own Written Information Security Program (“WISP”)…” Read entire update»


Follow other Tech Law updates on: LinkedIn | Twitter | Facebook | RSS