Andrew Rosner gives presentation on cyber-security.

Cybersecurity presentation

 

Every Business Should Implement a Thorough Cyber-Security Program

Every Business Should Implement a Thorough Cybersecurity Program
The law is rapidly evolving to impose substantial burdens on individuals and businesses who maintain personal information about others. Laws impose a duty to securely maintain personal information to avoid a data breach. Laws also impose a duty to  give notice without delay to the affected parties and government authorities if there is a data breach.  The trend is towards imposing a duty to maintain privacy. Government agencies have enormous power to enforce the laws, and to impose liability and penalties. This is so, regardless of whether or not the data breach causes any harm.
Failure to comply with reasonable security practices, promulgated or standard for a particular industry, or a particular company,  may breach laws and regulations and also subject the company to liability and penalties.
 Businesses must take the steps that are necessary to protect themselves from violating the laws and regulations in the jurisdictions where they do business.  Liabilities and penalties can be catastrophic.  Failure to protect your business from this risk can literally result in the failure of your business.
Although there is no unified federal law governing cyber-security, there are several federal laws and regulations that deal with the subject.  Several federal agencies regulate cyber-security issues.  In addition, all 50 states have laws governing cyber-security, and the laws are not identical. Accordingly, cyber-security compliance requires knowledge of the laws and regulations in every state where you do business. In addition, the European Union has cyber-security regulations that affect all business, no matter where they are located, that do business in the European Union.  Any business that does business internationally must comply with the law and regulations of every country where they do business.
The most important lesson to be learned is that all companies should implement a cyber-security compliance program. Companies should adopt statutorily compliant policies, procedures, and protocols to protect the privacy of their data, prevent a data breach, and to give timely notice when one occurs.  A thorough cyber-security program involves initial evaluation and ongoing review of all of the company’s business practices, initial evaluation and ongoing review of all contracts, and initial evaluation and ongoing review of the company’s vendors’ cyber-security practices.
Every business should institute a cyber-security compliance program. The program should take into consideration the considerable overlap of the laws and regulations from many jurisdictions and agencies.  An effective program can result in full compliance and protect the business from liability and penalties.
Private Cause of Action for Data Breaches
Common law provides a private cause of action for harm causally related to the negligence of others. To date, common law private causes of action have not been an effective remedy for data breaches because of the difficulty of proving harm proximately caused by the data breach.
Although there has been a delay in enacting laws providing for an effective private cause of action for victims of a data breach, without proof of harm, that is the direction the law is heading. California is a leader in enacting laws protecting consumers. The California Consumer Privacy Act of 2018 notably provides a private cause of action for  data breach incidents. Before the CCPA, California statutes provided for a private right of action for violations of their data breach notification and information security statutes. However, that private right of action did not provide for statutory damages, so harm still had to be proved.
Importantly, the CCPA provides for statutory damages of  between $100 and $750 per consumer per incident for certain data breaches. This will enable enterprising lawyers to bring class action suits imposing substantial damages on companies that fail to implement thorough cyber-security programs. Other states have historically followed California’s lead in consumer protection legislation, so it is reasonable to expect similar legislation to be passed in other states in the near future.

A Short, Focused  History of Cyber-security Regulation
The following are some examples of Cyber-security Laws and Enforcement Proceedings.
HIPAA
Laws have been enacted specifically protecting health care information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)  resulted in  a privacy rule and a security rule. The privacy rule established national standards for the protection of health care information. The security rule established a national set of standards for protecting certain health information that is held of transferred in electronic form.
There are substantial penalties for violation of HIPAA.  42 US Code Section 1320d-6 Wrongful disclosure of individually identifiable health information,  provides for penalties of up to $250,000 and imprisonment for up to 10 years.
Because HIPAA is perhaps the oldest law affecting cyber-security, and we have the most experience with it, HIPAA provides a precedent for what we might expect with government action enforcing other cyber-security laws. There have been several notable HIPAA fines to date.
Advocate Health Care in Illinois paid $5.55 million for failing to implement physical, technical, and administrative security measures sufficient to reduce the risks to electronic personal health information in all physical locations and on all portable devices to a reasonable and appropriate level.
New York-Presbyterian Hospital and Columbia University (New York City) paid  $4.8 million for not conducting an adequate risk analysis of all of its information technology systems and neither had an appropriate risk management plan. Also, New York-Presbyterian did not adequately secure its database or follow its own information access policies.
Cignet Health in Maryland paid $4.3 million for violating the privacy rule and denying patients access to their medical records when requested.
The University of Mississippi Medical Center paid $2.75 million for not initiating any risk management activity until after a breach and not notifying each individual whose protected health information was compromised in the breach.
CVS paid $2.25 million for failing to implement adequate policies and procedures to appropriately safeguard patient information, and failed to adequately train employees.
New York Presbyterian Hospital paid $2.2 million for allowing a film crew to film patients without their consent while making a documentary at the hospital.
.
New York General Business Law
New York General Business Law Section 899-AA applies to any individual or business who conducts business in New York. It requires notice, when there has been a data breach, expediently and without delay. When there is a data breach, the Attorney General may bring an action. In the action brought by the Attorney General, the Court has the power to issue an injunction, to award damages for actual costs or losses incurred by a person entitled to notice, and may impose a civil penalty of up to $150,000.
In a recent case, Hilton was fined $700,000 for failure to timely respond to a data breach. Hilton did not give notice of two data breaches until 287 days after receiving notice of the first data breach, and 100 days after receiving notice of the second.
Also, in the Hilton case, Hilton was not in compliance with Payment Card Industry Data Security Standard (“PCI DSS”) requirements. Failure to maintain reasonable security practices violated State Laws relating to consumer protection and prohibition against deceptive acts or practices in doing business.
The Hilton case illustrates why it is crucial to give timely notice after a data breach.
 Another lesson is that a company that experiences a data breach should call a cyber-security lawyer immediately. A cyber-security lawyer knows what action to take. Importantly, any investigation of the lawyer is protected by the attorney client privilege. Hilton hired a private forensic investigator, and its damaging report was part of the evidence against Hilton. Had Hilton hired a lawyer, and the lawyer’s team did the cyber-security report, it would have been protected by the attorney client privilege, not disclosable to the government regulators, and unavailable as evidence against Hilton.
Cyber-Security Requirements For Financial Services Companies in New York
The introduction to the new cyber-security regulations for financial services companies in New York State provide that “ It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cyber-security program and for all regulated entities to be subject to minimum standards with respect to their programs.”
Every covered entity must maintain a cyber-security program, have a cyber-security policy, conduct a risk assessment, designate a qualified, responsible individual, conduct monitoring and testing, maintain records for an audit trail, limit access privileges, include written procedures, guidelines and standards, conduct periodic risk assessments, and utilize cyber-security personnel and intelligence.
 In addition, each covered entity shall implement written policies and procedures designed to secure the information accessible to third parties. Multi-factor authentication, limitation on data retention, training and monitoring, encryption of nonpublic information, and an incident response plan, are required. Cyber-security events must be reported.
 The regulations require a senior person in every financial services organization to sign an attestation every year certifying compliance with the regulations.
European Union General Data Protection Regulation
The European Union General Data Protection Regulation has been described as the most important change in data privacy regulation in 20 years.  The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.
The EU regulations apply to all companies processing personal data of EU residents, regardless of the company’s location.
Penalties in breach can be fined up to 4% of annual global turnover, or 20,000,000 euros, whichever is greater.
Consent for use of personal data must be clear and distinguishable from other matters, provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw as it is to give it.
Breach notifications are mandatory within 72 hours. Data processors are required no notify their customers “without undue delay”.
Consumers have the right to access to their data, to have it erased, and to transfer their data to another controller.
Companies must have data protection officers.
California Consumer Privacy Act
California is home to Silicon Valley, the only industrial park larger than Long Island’s own Hauppauge Industrial Park.  It also has an economy larger than most nations, and is a leader in adopting laws and regulations affecting technology. It is expected that its recently enacted cyber-security laws will be copied by other states.
The California Consumer Privacy Act requires organizations to obtain consent from individuals to collect and use their data, and disclose how data is used. It grants consumers the right to request that a business disclose the categories and specific pieces of information it collects, the sources of that information, the reasons why the business collects and/or sells that information, and the categories of the third parities that information is shared with. To comply with the CCPA, businesses will need to understand the details of the data they collect, how they collect and where they store it.
Notably, as discussed above, the recent amendments provide a private right of action for data breach incidents.
The Solution: a Cyber-security Compliance Program

Cyber-security compliance programs must address on a continual basis 4 factors: 1) risk assessment, 2) risk management, 3) security implementation, and 4) program maintenance.  
Risk assessment by qualified experts spots issues and vulnerabilities. Risk management addresses the methods for dealing with risk: it must be reduced, transferred, avoided, or accepted. Security implementation uses available know-how,  technology, protocols, training, and vigilance to protect data and avoid incidents. Program maintenance ensures the program is functioning to protect data and privacy, as well as to protect the company from liability.
By hiring professionals in cyber-security to implement a compliance program, businesses can protect themselves from potential catastrophic liability.



About the Author

Andrew Rosner is a lawyer with almost 40 years of experience.  As a litigator, he has won more than $50,000,000 for his clients. Representing individuals and businesses, his legal planning has saved clients millions more. Andrew Rosner has additional qualifications and training as an insurance broker, so he is focused on planning to reduce risk. In the field of cyber-security, his team has more than 30 years of experience in  information security. He and his team are available to provide a confidential risk assessment, and of course to implement a thorough cyber-security compliance program.  He has offices in Nassau and Suffolk Counties. He can be reached at (516) 228-1050 and by email at andrewrosner@live.com.