As we move into the second month of 2019, we’d like to give an overview of the trends we see developing in the cybersecurity and data privacy area for the year. We’ll be sure to elaborate on these areas with more details as they unfold.

State legislation continues to move the data privacy ball down the field. The Super Bowl is over, but the analogies continue.

As of 2018, every state legislature had enacted a data breach notification law. This leads us to ask what is next for Justice Brandies’ laboratories of democracy? State governments are now passing laws to protect the personal information of their residents.

Following the footsteps of the California Consumer Privacy Act, Washington would be the second state to adopt a comprehensive privacy law, emulating the consumer rights principles found in the European Union’s General Data Protection Regulation (GDPR). What do California’s and Washington’s laws mean for US companies? Without a federal law, businesses may struggle to stay abreast of the compliance requirements for these well-intended but patchwork legislative solutions.

Cybercrime will find targets that weren’t vulnerable before. It is harder to play defense than offense.

Criminal behavior is often described as a function of opportunity and risk, balancing the value a potential victim offers against the criminal’s perception that a victim is an easy or difficult target. However, unlike traditional crimes, cybercrime does not require physical proximity between the attacker and the victim.

The virtual nature of cybercrime allows single criminals to perform multiple crimes in several locations in rapid succession. This allows criminals to launch hundreds of ransomware attacks against individuals in multiple states each night, and demand a $100 bounty to unlock the infected computer – clearing thousands of dollars per day. On the other side of the cybercrime spectrum is Ryuk, a “big game hunting” threat, targeting large organizations with high ransoms. In the face of these evolving threats, IT professionals and corporate decision makers must accept that cybersecurity will be a Sisyphean task that we all must shoulder.

Data protection liability and cyber insurance coverage are evolving. Judicial recognition of (if not sympathy for) the multitude of data breach threats is expanding.

Like our state legislatures, our state and federal courts are evolving in their approaches to liability in the digital age, at what would normally be considered a feverish pace. In the last two years, the D.C. Circuit, Eighth Circuit and a U.S. District Court in northern California have ruled that plaintiffs had standing to bring lawsuits based in part on the risk of future harm of identity theft.

Similarly, in the summer of 2018 we saw the Second and Sixth Circuit Courts of Appeals published decisions in two spear-phishing cyber insurance coverage disputes that run counter to earlier decisions by the Fifth and Ninth Circuits. The facts in the cases below are distinguishable, but the divergent rulings are worthy of further discussion.

  • Covered claim – Medidata Solutions, Inc. v. Federal Ins. Co., 729 Fed. Appx. 117 (2d. Cir. 2018).
  • Covered claim – Amer.Tooling Ctr. Inc. v. Travelers Cas. & Surety, 895 F.3d 455 (6th Cir. 2018).
  • Not covered – Taylor & Lieberman v. Federal Ins. Co., (9th Cir. 2017).
  • Not covered – Apache Corp. v. Great American Ins. Co., (5th Cir. 2016).

What do these decisions mean for companies? Not only do courts seem more receptive to the harms caused by identity theft, courts are delving into the factual details of computer scams and frauds when resolving cyber insurance coverage disputes.

Pennsylvania Supreme Court sides with employees

In late November 2018, the Pennsylvania Supreme Court held that the Univ. of Pittsburgh Medical Center failed to exercise reasonable care safeguarding employees’ personal information stored on an internet- accessible computer system. The Court also allowed the plaintiffs to obtain economic damages under the state’s economic loss doctrine under a negligence theory. The court acknowledged it was applying an existing common-law duty to a novel factual scenario as opposed to creating a new duty of care. Because the employees had to provide personal information to employers as a condition of employment, employers have a duty to exercise reasonable care in the protection of that data.

Illinois Supreme Court protects consumer biometric data

Last week the Illinois Supreme Court unanimously held that individuals do not need to allege or prove actual damages or harm to maintain a private right of action under the Illinois Biometric Information Privacy Act when a private entity fails to comply with the statute’s requirements. The ruling upholds privacy rights of individuals in their unique biological information as defined by the Illinois statute. For a deeper discussion on the Illinois ruling, see Anne Mayette’s and Terry Potter’s article on the decision.

The effects of GDPR enforcement actions and fines will influence US corporate behavior. The EU has a long-arm of jurisdiction too.

In 2018, there was a significant amount of attention (and anxiety) over GDPR’s implementation. The first GDPR enforcement action was brought by the first UK’s Information Commissioner’s Office (ICO) against Canadian-based AggregateIQ (AIQ). Not only did the ICO order AIQ to delete the personal data of UK residents stored on its network. If the company fails to comply with this order, it could be subject to a fine of €20 million Euros. In January 2019 France’s La Commission Nationale de L’Informatique et des Libertes (CNIL) fined Google €50 million Euros. Google’s fine is the largest GDPR penalty issued by a regulator to date.

What should a US company expect when it comes to GDPR enforcement? As the penalty against Google shows, GDPR enforcement can be brought against any foreign company that processes personal data of individuals residing in the EU. US companies offering goods and services to the EU, or having an establishment within the EU and are monitoring the electronic behavior of individuals are subject to GDPR enforcement.

Evolving threats and expanding liability will push companies to minimize the data they retain. Companies need to drain their digital swamps.

In recent years as data storage capacities rose and the costs fell, companies and individuals fell into the habit of saving everything. Most of us have become digital hoarders either at work at or home. But in the face of data breaches and expanding liability (judicial and regulatory), companies need to reassess their data retention practices – if only to reduce the quantity of data that is vulnerable to attack.

Information governance policies are an effective tool to meet this goal, and they go hand-in-hand with a company’s eDiscovery practices. As our eDiscovery team leader Megan Scheiderer advised General Counsels in 2018, company legal departments responding to lawsuits, document subpoenas or government investigations are overseeing the data collection and production processes. Information governance committees and policies can help companies get their digital houses in order to mitigate the risk of future legal and regulatory compliance actions.

Food for Thought. There is little “good” news in this post, and the tasks and threats can feel overwhelming. We know that cybersecurity and data privacy are difficult challenges, but advice and resources are available to assist companies navigate through the process and respond to threats as they arise. Husch Blackwell’s data privacy, cybersecurity and breach response team is ready and able to assist our clients face the challenges.