We read about a major data breach occurring almost every other day. From credit card information — along with PIN codes — stolen from some of the largest retailers in America — to very personal health records — data of all kinds is falling into the wrong hands.
“This trend will likely continue as long as companies fail to realistically assess their own systems for security flaws. Hacking themselves to find and then plug any holes that are found is highly effective,” says attorney Richard Lutkus.
Based in San Francisco, he is among the handful of lawyers in the country who focus on “cybersecurity preparedness, data breach response, and data privacy,” as he explained, adding, “the best attorneys in this field have an expertise in digital forensics and cybersecurity which enables them to understand hacker techniques, strategies, and better assist breached companies.”
When a data breach occurs, a disturbing question pops into the minds of people whose data was stolen: “If my personal information is put to a wrong use, who is responsible?”
Another, equally important question should be asked by any company or professional who routinely gathers sensitive information about customers, clients or patients; “If we get hacked and data is stolen, is it all over? Is my goose cooked? Am I on the hook for any loses sustained by that event or is there a way to defend myself?”
I’ll give you the answer in a moment, but first meet “very worried” Lisa, who is “16 years old and living in a small, rural California town with my parents, looking forward to reading You and the Law every week in our newspaper.”
Her email stated, “My father is a dentist and up in years. His office has all of his patient’s records stored electronically which he accesses at home from his laptop by leaving the server always ‘on’ at the office. I mentioned this to a geeky friend and the next day he showed me dental records from dad’s office that he had hacked. He claimed to be doing this as a favor, to get my father’s attention about cybersecurity, and I believe him.
“I told dad, and he immediately changed passwords, but didn’t seem too bothered. How much trouble could that have gotten him into?”
Just ask a cyber lawyer
We ran Lisa’s story by Lutkus. This is a familiar tale to him.
“Dennis, I knew one Fortune 500 Company chief financial officer who used the same password for over 10 years. Most think it is a joke, but it was real and proved not so funny after his credentials were found in seven data breaches, which were used to hack the company’s email servers, spoof emails, and steal tens of thousands of dollars without anyone noticing for months.”
He points out, “What happens to large, multi-national companies, also happens to small dental offices, just like your reader is describing, where client or customer data is kept but they do not have good IT support to guard against being hacked. That’s a point I try to make clear. Just think of the financial damage that can be done to the dentist’s patients when their personal information is stolen. The theft of information is like a recurring nightmare, and difficult to clean up.”
Is there automatic liability for a data breach?
I asked Lutkus, “Does the simple fact that a data breach occurred always mean that someone is going to be held financially responsible?”
“Not always,” he replied. “But, there are a few ways that civil liability for a data breach can occur.”
1. Finding negligence. Ask, “What would a reasonable person or company do to reduce the chance of a data breach? If you are aligned with your peers in the industry, then you look less reasonable. If you should have had better protection but did not, then negligence could be found which may result financial liability.”
2. Even if you did everything that was required to prevent a data breach, when one occurs, did you do enough after the event to reduce harm to the people affected? Did you promptly notify them? Did you take immediate investigation and remediation steps which would be viewed as reasonable?
Assume that someone is doing something
“The more you have to lose — the greater the attractiveness of your data and customer information to a hacker — it is critical to develop active defense and data breach response techniques.
“Have a breach coach that can run your breach response under attorney-client privilege. There is no way to be 100% immune from attack, but having a response plan developed in advance, together with adequate cyber liability insurance from a reliable broker will be the greatest investment in security you will ever make,” he concluded.