This post first appeared on Risk Management Magazine. Read the original article.
Criminal cyber gangs, hackers and
internal employee theft threats are understandably the focus of risk managers
seeking to address online perils. After all, international banking funds have
been stolen with a few keystrokes, hackers have managed to blow up a pipeline,
and election systems across the globe are targeted with growing frequency by a
host of shadowy figures with unsettling resources, including foreign government
backing.
This year, cybersecurity spending is expected to rise across the board for many companies, spanning various industries. The bulk of this spending is expected to be focused on thwarting the growing scourge of malware attacks. But malware, funds theft, data hacks and disruption attacks do not comprise the full spectrum of online risks. Today, many cyberrisks are of the less exotic variety and do not necessarily implicate the presence of a criminal. Liability often involves pedestrian errors, software glitches, and inattention to handling data safely. Such inattention can violate the law under new regulatory schemes.
Data Protection Liability
Lawmakers and regulators are
increasingly mandating that sound protocols be followed concerning the
collection, hosting and transmission of data. The well-publicized GDPR and
California’s enactment of the CCPA epitomize efforts to put consumers, patients
and online users in a position of data privacy, data safety and data control. Twice last year, GDPR fines in
the nine figures were sought against international companies based upon
inadequate security procedures that allowed access and misuse to data. But unauthorized access is not the only
potential regulatory exposure. Another international tech company was fined for
non-GDPR compliant data “processing” transparency, including a lack of clear
and easy to read disclosure over data storage periods and the use of personal
data for commercial online business. Notably, no breach was alleged in that
instance. The CCPA mandates a “duty to implement and maintain reasonable
security procedures and practices appropriate to the nature of the information”
and various fines and liability exposures may arise under California’s
(recently implemented) analog to the GDPR.
Online actions have to comport with
safety, disclosure and privacy considerations of the individual whose data is
in the hands of others. While liability can arise for failing to secure
individual data from a hacker, it can also arise in the absence of any hacking
event. It may be enough, for example, that sensitive data is placed on a server
that is susceptible to an online search.
Several cases over the past few
years have underscored the risk of mishandling data—even where no crime and no
criminal are evident. In one class action, patients whose private medical data
was exposed on servers that could be searched on the internet commenced a
privacy suit. When the policyholder sought liability insurance coverage the
insurance company denied the claim, leading to yet another lawsuit to address
the scope of insurance protection for privacy class actions. The federal
appeals court held that the insurance company was obligated to cover defense of
the patients’ suit against the policyholder, as the information was
“published”—even though there was no allegation that anyone actually accessed the
patients’ private medical information, let alone misused it to commit some type
of wrongful act.
There have been several other cases
in which policyholders were pursued legally over the disclosure (or loss of
control) of data where no evidence existed that anyone actually accessed the
data or exploited it to the individuals’ disadvantage.
Insurance Coverage Implications
Some federal courts have loosened
the rules over who may sue and when they may sue after information is
disclosed. Federal appellate courts in the Sixth and Seventh Circuits (and now
elsewhere) have taken a less strict view over when litigants may sue for a data
breach (technically, this issue is usually referred to as Article III standing
under the Constitution). Even if evidence is lacking that data has been
misused to commit identity fraud or financial theft, some courts have held that
class action litigation, nevertheless, can be pursued against the organization
alleged to have permitted unauthorized access to private data.
Accordingly, policyholders are well-advised
to make sure that they take all reasonable measures to avoid placing sensitive
data in places where it can be accessed or disclosed. Whether a criminal is
involved in hacking it, using it or monetizing it may not even be a factor.
Rather, policyholders may have liability (including significant litigation
expense and risk) where the individual’s information is merely capable of being
searched or accessed, irrespective of whether it actually ever gets viewed or
misused.
Insurance coverage can play a key
role here. Protection against liability may be available under cyber insurance
products. Some cyber-specific policies will expressly cover scenarios where
policyholders are liable for mishandling data or are subject to regulatory
actions. Other cyber insurance products may be silent or even expressly
exclude such scenarios. Policyholders are well advised to review their
other insurance policy lines as well, as management liability insurance,
D&O, E&O and other liability policies may offer valuable protection
where data is allegedly mishandled, yet no hack or third-party bad actor is
identified.
Risk Mitigation Steps
It
is virtually impossible to be well-insulated from all cyber perils.
Nonetheless, basic cyber safety measures, at a minimum, should include:
- An
informed senior management, including boards of directors - Regular
employee training concerning the access, use and handling of data - Clear
(and regularly updated) data handling, use and storage procedures that are
compliant with the most restrictive body of regulations that the entity is likely
subject to (e.g., CCPA, GDPR,
Illinois bio-metric law; New York’s Part 500, etc.) - Fair
and clear disclosures over the use of data and duration of its storage - Encryption
of data on all mobile devices that can be fairly viewed as sensitive - Regular
pathing and software updates for all systems - Mapping
of data within the entity to ensure that all servers are accounted for - Smart
architecture of computer systems so that if one server is compromised, the
hackers are confined to that entry point - Proper
insulation of back up tapes and systems - Detailed
records of cyber security due diligence that can be used by the organization in
the event procedures or unauthorized disclosures have to be explained to
regulators and law enforcement