Improving data security should be a top priority for businesses – and lawyers need to advise their clients accordingly.
“Companies need to be really vigilant about their security,” Attorney Jeff Kosc, who specializes in intellectual property, information technology, e-commerce, and telecom law, at Benesch, Friedlander, Coplan & Aronoff’s office in Indianapolis, told InsideCounsel. “It needs to be a concern for every company.”
It becomes more of a concern, given recent data breaches, increasing use of cloud computing – where information is given to third party providers – and with employers implementing “bring your own device” (BYOD) policies.
Companies are advised to be proactive and to assess risk and vulnerabilities ahead of time. They should involve different areas of the company in planning, and, if large enough, have a chief information security officer on board.
“The bad guys are out there,” Kosc said, pointing out that cyber thieves – especially from foreign countries – realize they can save millions or even billions of dollars if they steal trade secrets and do not have to spend money on the research and development of new products.
U.S. data security requirements often differ based on the sector. For instance, in the healthcare field the Health Insurance Portability and Accountability Act (HIPAA) includes a privacy rule for protected health information. And in the financial field, the Gramm-Leach-Bliley Act requires financial institutions to protect sensitive data.
“We’ve got strong protections already in place in these areas,” Kosc said. “It doesn’t need more attention.”
The area where there could be new regulations is credit cards, especially after the widespread breach at Target.
Kosc points out that credit cards in the United States use magnetic strip. which is considered a lower standard of security than what is used in many other parts of the world.
After the Target breach in November and December of 2013, there have been calls that the current magnetic stripe and signature system be replaced with a “Chip and PIN” system, using the EMV computer chip—named after EuroPay, MasterCard and Visa. It encrypts payment information.
In addition, the payment card industry said that starting Oct. 1, 2015, merchants or issuers that are not Chip and Signature compliant become liable for fraudulent transactions, except for ATMs and gas stations.
Just how much do businesses lose from data breaches? The Ponemon Institute and Symantec estimated that it costs businesses $188 per record lost. In 2007, Forrester Research estimated data breach costs of $90 to $305 per record. Using this standard, the cost to Target’s 40 million breached cards could mean costs of $3.6 billion to $12.2 billion, according to a government study.
When considering costs of a breach, Kosc points out there are such expenses as: the cleanup, lost time to a business, determining what caused the breach, remedial action and possible action by government regulators.
Remember, too, there is the potential by government agencies to act in response to a data breach on a state level, such as through an Attorney General’s office, and on the federal level, such as by the Federal Trade Commission or the Securities and Exchange Commission. Foreign governments also have some authority.
The Target breach led to the theft of personal information, including the names, addresses, phone numbers, and e-mail addresses of up to 70 million customers. As a result of the breach, estimates in fraudulent charges were as high as $240 million to $2.2 billion, according to a report from the Congressional Research Service. What makes matters worse is there has been some speculation that the Target breach might have been preventable.
After the Target breach, many members of Congress focused their attention on data security and data breaches. Hearings were held on preventing data breaches, improving data security standards, improving protection of consumers’ personal data, and providing more notice to consumers when a compromise takes place.
Members of Congress are considering requirements to notify consumers when data are breached; increase the FTC’s authority over companies’ data security; and possibly enact a federal standard on companies’ data security. Now, there is no comprehensive federal law on the protection of data, nor is there a comprehensive federal law requiring notification of breaches. On the other hand, 47 states have data breach notification laws – with Alabama, New Mexico, and South Dakota not having these laws.
The FTC has some authority in the area, according to InsideCounsel, and has reached 50 settlements related to data security since 2001. But as of now, the FTC cannot impose civil penalties for unfair or deceptive trade practices related to data breaches. Some Senators want to see the FTC to be given this authority.
Some in Congress have also argued that the government set up standards for what represents a minimum acceptable level of data security, but there is some opposition to such a plan by others in Congress.
In the meantime, the best advice for businesses is to be prepared. Data breaches are costly and need to be avoided as best as possible.