Stuart Gerson, Member of the Firm, presents “Litigation and Legislation Developments Enhance Cyber Risk for Companies, Their Officers, and Their Directors: What to Do About It” at the 2015 New York Metro Joint Cyber-Security Conference (NYMJCSC).
Companies and their officers and directors, all of whom have experienced or will experience data breaches, often entirely unrelated to negligence, are being bombarded by expansive litigation fomented by private class-action lawyers but also government agencies, particularly the Federal Trade Commission, Securities and Exchange Commission, and the Office of Civil Rights of the Department of Health & Human Services. Legislative initiatives actively being considered in Congress are likely to be counterproductive in this area without substantial industry motivation.
- A government that can’t protect its own data, and which follows standard industry practices when its data are compromised, is attempting to impose standards on private parties that it cannot meet itself.
- Those private parties are often victims of hacker initiated crime but are treated as law violators themselves.
- Congress has been considering cybersecurity legislation for over two years but the tension between allowing information sharing and protecting privacy has prevented resolution. Ironically, neither of these issues has much to do with addressing the needs of cyber-crime victims whose customers’ and clients’ data are being stolen. They need an industry standard of due care to insulate themselves from liability unless there is gross negligence.
- Federal and state administrative agencies increasingly are bringing regulatory cases based on laws like HIPAA, consumer protection statutes, and the securities laws. Companies are being fined millions and regulatory sanctions increasingly are being directed, not only at companies themselves, but also at officers and directors.
- Notwithstanding the fact that, because of credit monitoring and other after-the-fact protections, consumers are rarely injured economically even in mass data breaches, the risk of standing and class action status being allowed by state courts and, increasingly by federal courts, too (although there is no relevant federal cause of action) is growing.
- There is a substantial risk that companies that are providers to government programs in areas like health care, defense, and education might be subjected to punitive treble damages cases under the federal False Claims Act.
- Since companies are unable truly to protect themselves against cyber risk, cyber insurance, specifically tailored to individual company conditions, is a necessity.
- Federal legislation of a preemptive nature is needed to establish practice standards that create a presumption of compliance. The NIST guidelines are a useful basis for this.
- Courts must be challenged to hold the line on requiring injury in fact and typicality of claims before acknowledging plaintiff standing or certifying class actions. Getting strong appellate and Supreme Court rulings is key.
- Every cyber data holder must have a thoroughgoing compliance program that reports both to management and, separately, to the Board of Directors.
- Effective compliance doesn’t just include the easy stuff like encryption and backup, but systems that are constantly monitored and subject to “war games” testing.
- Especially given the threat of state-sponsored data invasions, effective policy depends on industry/government cooperation at a level not currently present.
For more information, visit NYMJCSC.org.