Some businesses are not properly aware of the cybercrime risks they face and the related laws. Many have inadequate cybersecurity planning, and their cybercrime response falls short.
Recognizing these realities, government has imposed legal duties regarding cybersecurity and data breach notification. Every single state in the country has laws on the topic. This includes Connecticut and New York, which have each made recent changes to increase the duties of organizations to protect their data. These laws apply to every business, regardless of size or sector.
Before I summarize the laws, consider that many of the legal obligations mesh well with good business management and practice. Businesses should protect themselves and their customers. Good cybersecurity prevents cybercrime, such as ransomware, data breaches or email-based funds transfer frauds, and saves the resultant time, expense and stress.
Cybercrime can cripple operations, be costly and damage reputation. Every business holds significant confidential data that needs to be protected, including personal information of customers and employees, and proprietary or financial data. Standing alone, a data breach is a serious crime, but it is also a precursor to other crimes such as identity theft. A sound cybersecurity program protects and aids in the efficient management of information assets.
The legal principles regarding cybersecurity are constantly evolving. The first takeaway is that good cybersecurity prevents bad events and also puts businesses in general compliance with the spirit of the laws.
Then we should look to negligence law, involving legal principles that have existed for hundreds of years. Businesses should be reasonable and diligent in their protection of computer systems and data, not sloppy or negligent. Few would argue with this guidance.
Contract law is also relevant since many contracts and agreements implicate cybersecurity and cybercrime. Contract terms may impose or reduce duties, and affect potential liability and damages. Insurance is one type of contract to consider.
After these traditional legal concepts, we look to specific laws relating to data, cybersecurity and data breach reporting. Both New York and Connecticut have such laws and they apply to every business in the state, along with every business holding data of a state resident. Essentially, the laws require two things: reasonable cybersecurity measures, and reporting of data breaches to the government and to consumers whose data was compromised.
With provisions effective in 2019 and 2020, New York made important and notable updates to its cyber laws through the SHIELD Act, enhancing the data breach reporting requirements and creating the new reasonable cybersecurity requirement.
Connecticut also updated its cyber laws effective this year. On top of the existing duties to safeguard information and report breaches, Connecticut boosts their notification statute and attempts to incentivize better cybersecurity.
The incentive is a small amount of protection from liability for businesses who were working hard to prevent a cybercrime but nonetheless fell victim. It exempts the organization from punitive damages if the business had previously adopted and properly followed one of several listed cybersecurity frameworks. The business would remain liable for compensatory or other types of damages.
The listed cybersecurity frameworks are respected and first-rate, but can be complex, technical and voluminous – too much for many organizations. Small- and medium-sized organizations should consider my framework Bandler’s Four Pillars of Cybersecurity as an excellent starting point that is understandable to all.
Businesses should evaluate and improve their cybersecurity plan which will protect the organization, protect customers and help with legal compliance. Businesses that take continuous steps towards better protection can prevent a serious cybercrime while also improving efficiency.
John Bandler is an adjunct professor at Elisabeth Haub School of Law at Pace University who teaches about law as it intersects with cybercrime, cybersecurity and privacy. He is the principal and founder of Bandler Law Firm PLLC, a law practice that helps organizations navigate these areas.