It was recently revealed that Amazon inadvertently exposed names and email addresses of some of its members due to a technical issue. Since the initial release the company has not provided much more detail. This leads some to wonder, what are Amazon’s legal obligations at this point and what can a Florida business learn from it?
The response varies with respect to its duties externally as opposed to internally. International legal authority aside, Amazon may have no obligations to those whose names and email addresses were released. The Florida Information Privacy Act, Fla. Stat. Section 501.171, requires various entities, including businesses, to notify individuals when there is unauthorized access of electronic data containing personal information. However, a name and email address alone does not meet this standard. Instead they must be combined with some other personal information to require notification.
Internal requirements are a bit more nuanced. Although Amazon is an international retail behemoth, its internal obligations might not be far off from a home-based internet company. The Florida Information Privacy Act requires covered entities to “take reasonable measures to protect and secure data in electronic form containing personal information.” In other words, the first requirement is to stop potential data compromise and then determine what happened and what, if any, data was compromised to ascertain if the business must prepare a data breach notification.
- Time is of the essence.
Organizations should act quickly. In Florida, data breach notification must occur within 30 days. However, if any customers are members of the European Union, then the EU’s General Data Protection Regulation (GDPR) may apply, meaning that the company must notify particular authorities within 72 hours from the time it learns of a personal data breach.
This is all easier said than done. These responsibilities require IT professionals to ensure the data is secure and adequately identify a source of unauthorized access. The subsequent investigation requires sensitivity because internal communications will likely be discoverable in a subsequent legal proceeding. However, an organization may protect itself by retaining external legal counsel to lead the investigation and for that counsel to retain an IT company to conduct the forensic investigation. This counsel may be retained through the cyber security insurance providers, or separately.
- Take proactive steps to prevent a data leak.
Not only can early planning reduce the likelihood of a breach, it also demonstrates due diligence if an organization is compromised by a sophisticated threat actor. Therefore, organizations should protect themselves by developing a cybersecurity policy and preparing an incident response plan as part of their normal procedures.
Organizational leaders should follow the lead of the Security Exchange Commission and the Federal Government which require boards of directors and governmental departmental leaders to be involved with cybersecurity planning.
- When do data breaches lead to litigation?
It is difficult to anticipate every data breach, because the vectors of the cyberincidents are many; however, a few popular threats provide illustrative examples. One potential trap that could lead to litigation springs from insider malicious actions. This occurs when a user with access to data compromises information to lash out against an organization. The insider may place confidential information on websites, export data to competitors or open ports to allow cyber criminals to enter.
To minimize this threat, organizations should incorporate human resources and IT policies that define the appropriate credentials needed to access certain data and ensure confidential information is only accessible to users who need the information. Additionally, companies should have an insider threat program in which the organization monitors employees and quickly terminates data access if necessary or upon termination of the employee.
Another threat to data security can be found in vendor agreements that fail to spell out data ownership and protection responsibilities. An organization can make internal cybersecurity protocols and have well-trained employees, but third parties may place its data at risk. For example, Facebook was mired in controversy when Cambridge Analytica used data obtained through a third-party Facebook application. These issues arise when vendors have access to customer data or the company’s network. Organizations should ensure agreements delineate the data being transferred, who owns the rights to the data and cybersecurity data protection protocols. Organizations should also consider not only having cybersecurity insurance, but also requiring those with who can access their data to likewise maintain cybersecurity insurance.
The ability to access data in electronic form remains a relatively new frontier, filled with possibilities while also being fraught with risk. Organizations can take advantage of these opportunities while mitigating the risks by designing data privacy policies, programs and internal practices to protect data as a valuable asset. Those that do so not only protect themselves but also can make themselves more valuable to their customers and partners by demonstrating themselves as a reliable organization—one that others want to do business.
Jacey Kaps and Steve Berlin are attorneys at Rumberger Kirk & Caldwell. Kaps is a partner in the Miami office, where he provides guidance on cybersecurity risks. He also holds the CIPP/US accreditation and the designation of Payment Card Industry Professional (PCIP) from the Payment Card Industry Security Standards Council. Contact him via email, email@example.com. Berlin is an associate whose practice focuses on the legal impacts of technology. He may be reached at firstname.lastname@example.org.