Cybersecurity and the specter of litigation

A recent Sedona Conference dialogue exposed the many ways litigators have attacked cybersecurity issues

These days, conversations about enterprise risk are often dominated by the topic of cybersecurity. One aspect of this risk involves potential civil liability for cybersecurity problems, especially where personally identifiable information (PII) is exposed. The Sedona Conference, long considered a bellwether of e-discovery thought leadership, has set its sights on cyber liability. At a recent Sedona Conference dialogue bringing together a diverse group of judges, law enforcement officers, prosecutors, regulators, corporate counsel,  cybersecurity consultants, plaintiff and defense lawyers (and probably others), several theories of cyber liability were discussed.

Data breach notification laws provide a rich source of potential claims where cybersecurity is breached. At last count, 46 states have enacted such laws, and these laws are based on varying definitions of PII. In addition, federal laws aimed at certain industries provide other definitions of PII. Examples of data elements included under the definitions of PII under these laws include social security numbers, driver’s license numbers and account numbers. Many times, companies have been sued for alleged failures to disclose required information about security breaches in a timely manner. However, because the definition of PII varies among state and federal laws, business enterprises face vexing challenges in assessing the scope of their legal obligations and in developing appropriate security safeguards for different data and systems in light of those obligations.

Contributing Author

author image

Adam Cohen

Adam Cohen is Managing Director at Berkley Research Group and a Certified Information Systems Security Professional (CISSP) and former practicing attorney who for more than 20 years...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.