The Data Breach Nightmare
It is Friday night and you are about to eat dinner at the trendy new restaurant down the block when your phone rings. It is not good news. You are informed by your IT manager that your company's servers have been hacked and it is likely that your customers' private information has been stolen. What do you do? If you don't know the complete answer to that question then you have work to do. This is a nightmare scenario for many companies but one that happens all too frequently.
Liability for a data breach comes from many different directions and there is little time after a hack to figure things out. It is crucial to know your potential liability before a data breach occurs so you can have a response plan in place.
There is no single regulatory authority or statute that governs data breaches in the United States. Instead, our system is made up of many different industry, federal, and state protection laws that mostly give rise to civil liability. For instance, the following regulations relate to data privacy:
- Gramm-Leach-Bliley Act (GLB): This act requires financial institutions to provide notice to consumers about what information the institution collects from the user and how that information is used. It also includes a Safeguards Rules that requires institutions to create a plan for keeping that information safe.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA specifies uses and disclosure of personal health information and provides extensive security measures that entities must follow to protect that information.
- Children's Online Privacy Protection Act (COPPA): COPPA adds additional safeguards to personal information of children under 13 years of age.
- Federal Trade Commission (FTC) Act: The FTC Act provides a catch-all statute for the federal government to combat "unfair or deceptive acts or practices in or affecting commerce," a standard met by nearly all data breaches.
- California's Online Privacy Protection Act: This act requires entities to provide notice to consumers about the type of personal information collected, how that information is used and shared, and how that information can be changed, among others. Many other states have a similar provision.
- Massachusetts 21 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth: This regulation requires any person or entity that holds information about Massachusetts residents to use specific, technical, data security safeguards.
- Nevada Statute 603A: Security of Personal Information: This statue requires businesses to encrypt personal information when transferring information outside of the organization.
- Texas Deceptive Trade Practices Act (DTPA): In Texas, a private cause of action for theft of personal information may arise out of the DTPA. This is because a consumer provides personal information with the understanding that it will be protected. Many other states have similar statutes.
Notification is one of the most pressing concerns after a data breach. Nearly every state requires data owners to notify affected individuals in the event of unauthorized access to protected personal information. Many states also require notice to the state's attorney general or other regulatory agency. The time period for notice is typically vague but it is a common requirement for notice to be given in a reasonably prompt period. However, that is not always the case. For instance, Texas requires notice to be given "as quickly as possible" and a civil penalty is possible for any delay. Tex Bus. & Comm. Code § 521.053(b). So when a hacker steals your data what do you do? Ideally, you swiftly execute an in-place plan that complies with all of the specific regulations that apply to your data store—a plan that has been vetted through legal counsel and business executives. But the best strategy is to recognize that hackers want your data and to be proactive in protection. In part two of this series we will explore ways to keep your data safe.
The opinions expressed are those of the authors on the date noted above and do not necessarily reflect the views of Fish & Richardson P.C., any other of its lawyers, its clients, or any of its or their respective affiliates. This post is for general information purposes only and is not intended to be and should not be taken as legal advice. No attorney-client relationship is formed.