Striving to Avoid Cyber-Related Lawsuits

Businesses must exercise caution when gathering, storing and/or disseminating data.

By George N. Saliba, Managing Editor On Jul 25, 2016

In an era when even “ultra secure” financial institutions have data breaches – and cybercriminals are lucratively targeting businesses of all sizes – companies that electronically gather, store or share sensitive data should take steps to ensure that if they are “hacked,” they can avoid or minimize lawsuits from any affected parties, including employees.

Cybersecurity Technicalities

Experts say there is no such thing as completely impenetrable cyber defenses; hackers are increasingly sophisticated and may target companies with numerous tactics, including, but not limited to: undetectable malware; spear phishing; and phishing, for example. Nonetheless, qualified information technology (IT) professionals can bolster companies’ cyber defenses with: firewalls; employee training (e.g., teaching workers not to click on suspicious e-mail links and ensuring that e-mails received from colleagues are authentic); ensuring physical security for data servers and associated hardware; and other policies and procedures.

Fernando M. Pinguelo, Esq. (CIPP/US), partner and chair, cyber security & data protection group at the law firm of Scarinci Hollenbeck, LLC, adds, “For starters, know exactly what personal information you have in your files. Only after a business truly understands what personal information is collected, used, stored, shared, etc., can IT begin to engage in the essential first step of assessing security vulnerabilities. Contrary to conventional wisdom, this is not just an IT problem. Computer security implicates a cross-section of the workforce such as HR, sales, marketing and, ultimately, the end user of the system – the average employee. Once businesses engage all relevant elements of their business, they can determine the best ways to secure the information in a way that minimizes liability.”

If companies are in industries with certain cybersecurity standards (such as those issued for financial institutions), they should comply with all associated guidelines. The Federal Trade Commission’s “Start with Security: A Guide for Business” can also help businesses develop stronger security practices.

Pinguelo explains, “The Guide introduces businesses to 10 sound practices that businesses of all sizes should be using. While businesses may consider this guide helpful, it will undoubtedly be what regulators turn to during investigations if [your] business is unfortunate enough to suffer a breach that captures the attention of authorities.”

Taking an “above and beyond” security approach can also be helpful when attempting to mitigate possible lawsuits. Jonathan D. Bick, chair of Brach Eichler’s patent, intellectual property and information technology department (who is also an adjunct professor at Rutgers University’s School of Law), explains, “You don’t have to stop hackers; all you have to be able to do is go before an investigative body – in worst case, a jury – and say, ‘Yes, a horrible thing has happened – data has been stolen. But, the technology that I have put in place is better than the average.’

“That is a winning argument, because I have yet to meet a jury that says, ‘Oh, yes, you did better than the average, but that wasn’t good enough.’ … Again, it is making a determination: ‘What is the average procedure?’ Then, [it is a matter of] doing a little bit more.”

User / Party Consent

For companies dealing with sensitive business-to-business data, attorneys often recommend specific legal contracts. These agreements can strive to indemnify companies from legal exposure by ensuring all parties are aware of the risks and other factors.

For companies that have Internet users visiting their websites, “Terms of Use” sections on the websites are forms of contracts that can also help defend against possible lawsuits. While it can be argued that website users do not actually read these agreements, they can nonetheless hold great value. These stand-alone terms of use may include, for example, indemnification clauses, limitations of liability, class action waivers, arbitration clauses, or specifically adopting and making the privacy policy part of that contract.

Bick explains, “The idea is that if you have consent from the people from whom you have collected data to do with data as you choose, and to protect it as you choose – if they have given you consent, you are well on your way. The consent has to be reasonably given, and it has to be well understood.”

Of course, law is a vast and complex field, and each company should receive assistance in drafting, displaying and tracking a website’s terms of use agreement.

Cybersecurity-Related Insurance

Assuming companies take appropriate IT steps, follow related policies and procedures – and also have legal contracts and/or terms of use agreements in place – what insurance should they obtain? Of note, some insurance products have cyber-related exclusions.

Brach Eichler’s Bick says, “In the case of hackers, you really only need one element, which is paying damages. With respect to misusing data, you really only need one [other] aspect of the insurance, which is legal defense. Most legal defenses of claims of misuse of data are misplaced; that is to say that most juries do not convict most people who are charged with misusing data. However, the cost of defending can be great, and, so, in the instance of misusing data, look to an insurance policy which pays your attorneys’ fees and [obtain] the exact complement, with respect to data loss. Data loss is all about paying compensation for data loss.”

Scarinci Hollenbeck’s Pinguelo says, “Although some recent cases have held that certain General Liability policies may cover some data breach incidents, more likely than not, today’s General Liability policies would not. So, increasingly, businesses are shopping for specialty cyber policies that are tailored to address breach incidents. It may be a good idea for businesses – especially those that regularly handle personal information – to consider a cyber policy. Importantly, such policies often include access to resources and a team of professionals experienced in breach response, which can help a business mitigate a breach’s impact on its operations and liability. Time is of the essence when a breach hits, and you want to be ready when it does – access to an experienced team of professionals helps immensely. However, all such cyber policies are not created equal, and I find that those nuances – which can mean the difference between coverage and no coverage – have not resonated down to general brokers yet. That’s why I turn to brokers whose specialty is the placement of cyber insurance.”

Where Does a Business Begin?

Attorneys generally agree that companies should speak with qualified experts who can point them in specific directions. For example, an attorney might say, “Oh, you also need an insurance broker,” and an insurance broker, for example, might say, “Oh, you also need an IT expert who can create a quality cybersecurity defenses for you.”

Khizar A. Sheikh, member and chair of the privacy and cybersecurity law group at Mandelbaum Salsburg P.C., says, “I think the valuable service we as professionals can provide to our clients – or potential clients – is being able to see the risks, and the potential solutions, and then being self-aware enough to say, ‘I can handle that for you.’ Or, ‘You are better served with ‘this’ professional, to give you advice on this. Other professionals can get pulled in – depending on what the issue is – but, that’s why it is crucial to be working with a professional who can see the landscape, and who is honest enough with themselves, and also with the client or potential client, or the business owner, to say: ‘This could be an issue. Let’s go try to figure out if this is something we have to worry about – or not.’”

 

Related Articles: