Cyber Hype…

The last session of the 2023 Summer Membership Meeting education program was a presentation by Kenneth K. Suh and Alexander R. Cox of Locke Lord entitled Privacy And Cyber Exposures From The Collection Of Information. A video replay of this presentation is available in the AIRROC On Demand library.

Key takeaways from this excellent presentation on the most up-to-date regulation of and liability from privacy and cyber exposures:

1. Public and private companies can face cyber liability years from now from their (mis)management of sensitive data in the past.
2. Cyber liability extends beyond the usual mismanagement of personal data collected from individuals (e.g., Social Security numbers, medical information) to corporate, proprietary data gathered from or shared with business partners.
3. State and federal regulators were previously satisfied with reasonable explanations from companies about the cause of a data breach. Now, insurance regulators seek more specific, technical explanations from insurers about the “how, what, where and why” of a breach, and are less forgiving of companies who plead ignorance of the regulations.
4. While many states are struggling to develop proper regulations, the New York Department of Financial Services (DFS) has enacted Cyber Security Regulation 23 NYCRR 500, which is the new standard. It requires protection of critical operating and information systems, and non-public information, and mandates notice to DFS no later than 72 hours after a cyber breach.
5. In addition to relying on notice from hacked companies, regulators are now independently scouring the web to identify companies within their jurisdiction that suffered a breach and asking them to explain why they failed to notify the regulator.
6. Many state cyber security laws have a “harm” threshold which requires evidence of the potential for actual harm from the breach (e.g., identity theft). This allows companies to avoid notifying the regulator if a security breach involved data that could not be used to cause harm to the victimized consumer or company.
7. Many states are scheduled to enact consumer privacy laws in the near future. Some of these laws extend the mandatory notice requirement to data breaches that occur (a) beyond their borders (e.g., a regulated company in state A suffers a data breach in its branch office in state B) and (b) outside of their regulated company (e.g., an entity in the chain of possession of your data suffers a breach in another jurisdiction).
8. A recent, major development in assessing cyber risk is the statutory requirement in some states for companies to perform “data protection assessments,” essentially a written audit report gauging the risk of cyber breaches based on the type and sensitivity of data companies possess and how they protect it.
9. Class action lawsuits filed on behalf of victims of data breaches have increased in the last 10 to 12 years. Perhaps fueled by lawyers, consumer-plaintiffs are alleging that breaches must have occurred because hacked companies and/or their employees negligently or recklessly mismanaged private data. Given the number of victims and complexity of these cases, several have lasted over 10 years.
10. With the recent increase in companies’ collection and use of biometric data (e.g., facial, thumbprint or eye recognition, etc.), states are passing new laws giving aggrieved plaintiffs a private right of action against hacked companies and awarding them statutory damages.