From the banking sector to the healthcare sector, the women we’re ho...Read More
Jay Bean: The Accidental Marketer
Rising to the Challenge
Coding Boot Camps
Catchy and Concise
Get Up and Move!
Is Entrepreneurship for You?
A Rising Tide
May Around Utah Facts
Commercial Real Estate
Strength in Numbers
Camp Snowbird: Exciting Summertime Mountain Fun
UB Voices by CBIZ MHM
UB Voices by CBRE
Breaking the Glass Ceiling
Top Private Companies
Cybersecurity is no longer just a buzz word for IT personnel. It is a necessary talking point in boardrooms and business meetings. Last year alone, more than 1,000 businesses were subjected to cyber-attacks. About two-thirds of them learned about attacks on their networks from third parties. Just as embarrassing, most of them had been infiltrated for more than six months. They just didn’t know it.
As millions of consumers were subjected to “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees,” as is alleged in the pending class action against Target, hundreds of lawsuits and investigations were initiated by consumers, banks, regulators and shareholders. Little wonder a recent national survey of nearly 500 business directors found that cybersecurity is the No. 1 issue on their minds.
Utah’s Data Breach Statute
Most of the lawsuits and investigations involving cyber-attacks include common law claims for breach of contract or negligence, including claims against businesses for failure to provide adequate security to protect personal information and/or the failure to timely notify consumers that their personal information was breached or compromised. In Utah, a statutory basis exists for the attorney general to hold businesses liable for the same failures.
Under the Protection of Personal Information Act (the Utah Act), with few exceptions, businesses in Utah must implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information they collect or maintain. Personal information includes a person’s first name or first initial and last name combined with a social security number; a financial account number, or credit card or debit card number; or any security code, access code or password that would permit access to the person’s account; or driver’s license number.
When businesses that own or license computerized data that includes personal information become aware of a breach, they must determine the likelihood that personal information has been or will be misused, and if there is a likelihood, notify each person as soon as possible unless law enforcement asks them not to for investigative purposes. The only other reasons businesses may delay notification are to determine the scope of the breach and after restoring the reasonable integrity of their security systems.
Failure to comply with the Utah Act can subject businesses to civil fines up to $2,500 per consumer and up to $100,000 for related violations involving more than one consumer. While not an independent basis for liability for consumers to assert in private lawsuits, the Utah Act at least establishes a baseline of notification procedures businesses should follow when personal information has been breached or compromised.
Federal Response to Data Breach Landscape
After numerous executive orders, proposed guidelines and directives to establish a cybersecurity framework, the federal government is considering cybersecurity legislation that may preempt the Utah Act. On March 25, bipartisan legislation being referred to as the Data Security and Breach Notification Act of 2015 (DSBN) was submitted to Congress. As presently drafted, if enacted the DSBN would apply to most businesses, would preempt all state data breach notification laws, would only require businesses to notify consumers if breaches are likely to lead to economic harm, and would expand the definition of personal information. As a single standard, the DSBN would have obvious benefits for businesses over the existing patchwork and evolving legislation and standards. Importantly, the DSBN would be enforced by the Federal Trade Commission, which would have authority to issue uncapped civil penalties.
For Cybersecurity, the Future is Now
The cybersecurity landscape is more complex than ever. Even leading cybersecurity experts admit they cannot prevent every intrusion or breach. Already there are cybersecurity issues relating to mobile apps and the Internet of Things, the network of embedded electronics, software and sensors that enable the exchange of data with manufacturers, operators and/or other connected devices (e.g., internet-connected TVs, gaming consoles and learning thermostats). Experts estimate that there will be 50 billion connected devices by 2020, as well as ubiquitous unmanned aircraft systems and autonomous robots also powered by big data and network connectivity.
Understanding cybersecurity legislation and industry standards is essential because they continue to evolve. Staying informed will be a challenge—and a necessity—for every growing business.
Romaine Marshall is a litigation and trial attorney at Holland & Hart based in Salt Lake City who represents clients in data intrusion, theft and loss cases. Tracy Gray is an intellectual property attorney at Holland & Hart based in Boulder who advises clients on data security, breach prevention and response strategies.