The Texas Bar Journal’s year-end update on Cybersecurity & Data Privacy law was once again provided by Shawn Tuma and addressed the following issues:
- Lawyers’ Cybersecurity and Data Breach Obligations that are required under Texas law and the ABA’s Ethics Opinion 483 titled Lawyers’ Obligations After
an Electronic Data Breach or Cyberattack
- Whether an IT service provider’s locking a customer out of its computer violates the Texas “hacking” law
- Whether a woman viewing pictures on her boyfriend’s iPhone violates the Texas “hacking” law
In a recent Wall Street Journal article, The Case for Protecting Small Firms from Cyber Lawsuits, the authors argue that, because smaller companies lack the resources of larger companies when it comes to protecting data, smaller companies should have legal protections to exempt them from facing the consequences of these laws.
While it seems this argument is based on a fundamental misunderstanding of the purpose of these laws, it does offer some productive suggestions and I found it interesting for another reason. The reasons the authors gave for arguing that smaller companies should be exempted from the laws are some of the same reasons I give to smaller companies when I explain why it is so important that they have appropriate cyber insurance coverage:
- Small businesses have the same obligations to protect data that larger companies have.
- Breach notification laws may have penalties of a certain cost per record breached, regardless of fault.
- Breach notification laws may require notifying those individuals whose data was breached, that their data has been breached.
- Breach notification laws may require providing identity theft protection services to the individuals whose data was breached.
- Individuals whose data was breached may sue and seek recovery of damages and legal fees.
Cyber insurance coverage that is appropriately tailored to meet the needs of a small business will provide them with protection against the risks listed above, and many more, such as the legal fees and costs of having an experienced attorney serve as their breach guide to advise them through the process of managing a cyber incident (see Why You Need a Cyber Attorney) and properly respond to the incident.
I have been practicing in the cybersecurity and data privacy areas of law for nearly two decades and have served as breach guide to hundreds of companies — one of the biggest lessons that I have learned in all of these years is that in many cases, it is not the initial incident that causes most of the harm, it is the failure to properly respond to the initial incident after learning about it that causes it to escalate.
Incident response is expensive. The legal fees, the fees for security services, forensic services, remediation, public relations, and identity theft protection, notification of consumers, and reporting to regulatory agencies — all of these things are very expensive but they are mandatory to properly respond to an incident, in most cases. When a business does not have the resources to pay these expenses, it is not able to properly respond to an incident and that is what can be most devastating of all for small and midsize businesses. That is why it is so critical that small and midsize businesses have appropriate cyber insurance coverage to step in and provide them with the resources needed to help manage and properly respond to such incidents.
Back in early 2012, I wrote a blog post about whether hacking a human would violate the federal Computer Fraud and Abuse Act. Shortly after publishing it, I received a call from a guy in Austin who said: “dude, someone finally gets it, I need your help!” … I responded that I was a lawyer, not a psychiatrist and that I was just kidding when I wrote that, kinda.
Now, here we are 6 years later and it seems this is becoming a thing more and more of a thing. What do you think? Vulnerabilities in brain implants used to treat Parkinson’s disease could be hacked by cyber attackers and used to control people, scientists have claimed.
Are you at IAPP – International Association of Privacy Professionals P.S.R. #PSR18 in Austin? If so, please come to our Thursday 10:30 – 11:30 session on Vendor Risk Management: Maintaining Relationships While Limiting Liability in Lone Star Ballroom A, Level 3. It should be great as I get to be with great panelists Tami Dokken and Melissa Krasnow and we will have Mark Smith as our moderator.
While you’re there pick up your copy of Bloomberg BNA’s Domestic Privacy Profile: Texas!
If you can’t make it, here is a link to the .pdf (hey, I know people!).