Cybersecurity: The Legal Risks

Michael G. Trachtman
Powell Trachtman Logan Carrle & Lombardo, P.C.
MEA General Counsel
mtrachtman@powelltrachtman.com

A Megabyte of Prevention is Worth a Terabyte of Cure

The Russian hacking of the Democratic National Committee. WikiLeaks and the CIA. The monumental data breaches at Yahoo, LinkedIn, the IRS, the Department of Justice… Cybersecurity has been one of the primary headline-grabbers of the past year. But what does any of that have to do with a privately owned business without tens of thousands of employees or a national profile?  Regrettably, a whole lot.

Most businesses understand that cybersecurity “holes” can lead to suffocating operational issues – for example, ransomware that locks a business out of its databases until a ransom is paid, malware that changes data or deletes files, spyware that allows a competitor to copy your most sensitive information. But what is not as widely understood is this: even if your cybersecurity deficiencies have no effect on your operations, they can lead to colossal legal liabilities, including damage awards, regulatory agency fines, injunctions and, even, criminal sanctions.

It is important for businesses to become aware of the source and scope of these legal risks, which is the first step in the development of a preventive strategy that will ultimately require a partnership between competent IT professionals and knowledgeable counsel. Toward that end, summarized below are some of the most important cyber-traps in the legal landscape – the initial focal points for any cyber-liability avoidance program.

The Federal Trade Commission

Perhaps the most common form of cyber-liability involves the inadvertent disclosure of, or the failure to protect from hackers, sensitive consumer information (such as name, address, or telephone number linked to a social security number, driver’s license number, credit or debit card number, passwords …).  The FTC has become the primary federal regulator of companies that fail to properly store consumer information in formats or media that adequately protect the information from unauthorized access – all as defined by the FTC.

The FTC can impose administrative penalties of up to $40,654 per offense, it can levy fines in the millions of dollars, it can issue injunctions, it can mandate restitution, it can require reimbursement of its investigative and prosecution costs – and it can (obviously in egregious circumstances) impose criminal penalties, including imprisonment for up to ten years.

The Fair Credit Reporting Act

FCRA is a federal statute that (among many other things) regulates businesses that use “consumer reports” – defined as any communication by a consumer reporting agency (that is, a person or company that charges a fee for gathering consumer information) that pertains to, for instance, a person’s credit worthiness, character or reputation (read: background checks).  Proper notices must be provided to and proper authorizations must be obtained from the persons who will be the subject of the report before a “consumer report” may be lawfully obtained.

The CAN-SPAM Act

Congress loves cute acronyms – the full name of this federal statute is Controlling the Assault of Non-Solicited Pornography And Marketing Act.  The CAN-SPAM Act regulates the collection and use of email addresses for commercial purposes. If, for example, you solicit business through blast emails, you will need to be familiar with the provisions of this law and the cases that interpret it.

The Telephone Consumer Protection Act

The TCPA regulates the collection and use of telephone numbers for commercial purposes, and it regulates how and when commercial telephone solicitations may be made.  If this is how you seek business, you will need to be aware of the TCPS’s arcane requirements.

The Pennsylvania Breach of Personal Information Notification Act

In addition to the above federal statutes, this Pennsylvania statute applies to any person or company that conducts business in Pennsylvania, and owns, licenses, or maintains computerized data that includes personal information — defined as an individual’s first name or initial with last name and one or more of the following: social security number, driver’s license or identification card number, account, credit card number or debit card number and passwords. The gist of the Act is this:  in the event of a data breach, the holder of the information must provide notification to those subject to the data breach in a defined manner.

The New Jersey Data Breach Notification Law

Similarly, New Jersey has enacted a law that applies to any person or company that does business in the state, and provides similar protection in the event of a “breach of security,” defined as “unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of personal information that has not been redacted or otherwise made unreadable or unusable.”  In addition, unlike Pennsylvania, New Jersey requires that notice first be provided to the state police and, in certain cases, that notice also be provided to major consumer credit agencies.

Lawsuits, and more lawsuits

Cybersecurity lapses lead to data breaches that lead to disclosures of information that lead to lawsuits that lead to major liabilities. Class action suits based on data breaches have become commonplace – usually involving consumers who sue for identity theft, or the costs of attempting to prevent identity theft.  Banks sue for the costs of having to reissue credit cards and implement fraud monitoring measures for customers whose personal data were disclosed.  Company owners sue company officers and directors for failing to protect against data breaches.  And so on…

Some Words to the Wise

Prevention is, as always, easier and cheaper than cure.

  • The FTC has issued “best practices” privacy and data security guidelines, including a report on methods of protecting consumer privacy. It will be much easier to avoid the FTC’s wrath if you can document good faith efforts to implement the FTC’s advice.
  • There is no shortage of technical consulting firms that can (or, at least, say they can) implement hardware, software and protocols to maximize cybersecurity protections. Obviously, due diligence in the selection and contracting process will be crucial.
  • Insurance carriers are offering varying types of insurance coverage for data breaches and other cyber-liability issues. An independent broker can be invaluable in assessing the available insurance products.
  • Competent legal counsel can interpret and help to implement federal and state cybersecurity legal requirements. Counsel can structure an agreement between a company and a technical consultant that properly defines the requisite scope of services, that includes the necessary warranties, and that allocates risks in the event of a failure. Counsel can draft employee, contractor, customer and supplier agreements to limit certain liabilities and damages.

Let us know if we can help.

___________

Michael G. Trachtman is MEA’s general counsel and the President of Powell Trachtman Logan Carrle & Lombardo P.C., a 30+ attorney King of Prussia-based law firm that has represented businesses and business people for over twenty-five years.  He can be contacted at mtrachtman@powelltrachtman.com.  See www.powelltrachtman.com for more information.