When It Comes to Cybersecurity Litigation, an Ounce of Prevention Is Worth a Pound of Cure
It was recently revealed that Amazon inadvertently exposed names and email addresses of some of its members due to a technical issue. Since the initial release the company has not provided much more detail.
February 14, 2019 at 09:20 AM
5 minute read
It was recently revealed that Amazon inadvertently exposed names and email addresses of some of its members due to a technical issue. Since the initial release the company has not provided much more detail. This leads some to wonder, what are Amazon's legal obligations at this point and what can a Florida business learn from it?
The response varies with respect to its duties externally as opposed to internally. International legal authority aside, Amazon may have no obligations to those whose names and email addresses were released. The Florida Information Privacy Act, Fla. Stat. Section 501.171, requires various entities, including businesses, to notify individuals when there is unauthorized access of electronic data containing personal information. However, a name and email address alone does not meet this standard. Instead they must be combined with some other personal information to require notification.
Internal requirements are a bit more nuanced. Although Amazon is an international retail behemoth, its internal obligations might not be far off from a home-based internet company. The Florida Information Privacy Act requires covered entities to “take reasonable measures to protect and secure data in electronic form containing personal information.” In other words, the first requirement is to stop potential data compromise and then determine what happened and what, if any, data was compromised to ascertain if the business must prepare a data breach notification.
- Time is of the essence.
Organizations should act quickly. In Florida, data breach notification must occur within 30 days. However, if any customers are members of the European Union, then the EU's General Data Protection Regulation (GDPR) may apply, meaning that the company must notify particular authorities within 72 hours from the time it learns of a personal data breach.
This is all easier said than done. These responsibilities require IT professionals to ensure the data is secure and adequately identify a source of unauthorized access. The subsequent investigation requires sensitivity because internal communications will likely be discoverable in a subsequent legal proceeding. However, an organization may protect itself by retaining external legal counsel to lead the investigation and for that counsel to retain an IT company to conduct the forensic investigation. This counsel may be retained through the cyber security insurance providers, or separately.
- Take proactive steps to prevent a data leak.
Not only can early planning reduce the likelihood of a breach, it also demonstrates due diligence if an organization is compromised by a sophisticated threat actor. Therefore, organizations should protect themselves by developing a cybersecurity policy and preparing an incident response plan as part of their normal procedures.
Organizational leaders should follow the lead of the Security Exchange Commission and the Federal Government which require boards of directors and governmental departmental leaders to be involved with cybersecurity planning.
- When do data breaches lead to litigation?
It is difficult to anticipate every data breach, because the vectors of the cyberincidents are many; however, a few popular threats provide illustrative examples. One potential trap that could lead to litigation springs from insider malicious actions. This occurs when a user with access to data compromises information to lash out against an organization. The insider may place confidential information on websites, export data to competitors or open ports to allow cyber criminals to enter.
To minimize this threat, organizations should incorporate human resources and IT policies that define the appropriate credentials needed to access certain data and ensure confidential information is only accessible to users who need the information. Additionally, companies should have an insider threat program in which the organization monitors employees and quickly terminates data access if necessary or upon termination of the employee.
Another threat to data security can be found in vendor agreements that fail to spell out data ownership and protection responsibilities. An organization can make internal cybersecurity protocols and have well-trained employees, but third parties may place its data at risk. For example, Facebook was mired in controversy when Cambridge Analytica used data obtained through a third-party Facebook application. These issues arise when vendors have access to customer data or the company's network. Organizations should ensure agreements delineate the data being transferred, who owns the rights to the data and cybersecurity data protection protocols. Organizations should also consider not only having cybersecurity insurance, but also requiring those with who can access their data to likewise maintain cybersecurity insurance.
The ability to access data in electronic form remains a relatively new frontier, filled with possibilities while also being fraught with risk. Organizations can take advantage of these opportunities while mitigating the risks by designing data privacy policies, programs and internal practices to protect data as a valuable asset. Those that do so not only protect themselves but also can make themselves more valuable to their customers and partners by demonstrating themselves as a reliable organization—one that others want to do business.
Jacey Kaps and Steve Berlin are attorneys at Rumberger Kirk & Caldwell. Kaps is a partner in the Miami office, where he provides guidance on cybersecurity risks. He also holds the CIPP/US accreditation and the designation of Payment Card Industry Professional (PCIP) from the Payment Card Industry Security Standards Council. Contact him via email, [email protected]. Berlin is an associate whose practice focuses on the legal impacts of technology. He may be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFla.'s Statute of Limitations and Statutes of Repose in Med Mal Cases: It's Not Over Until It's Over
6 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 3Guarantees Are Back, Whether Law Firms Want to Talk About Them or Not
- 4How I Made Practice Group Chair: 'If You Love What You Do and Put the Time and Effort Into It, You Will Excel,' Says Lisa Saul of Forde & O'Meara
- 5Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250