No one doubts the consequence of a data breach — especially when it exposes the personal details of a third of the country’s workforce, as this year’s data breach at credit reporting agency Equifax did.
But those catastrophic consequences are not foretold for the company itself in any formal sense.
That’s something Karen Randall, founder and chair of the cybersecurity and data privacy practice at Connell Foley, sees changing in the near-future.
In lieu of an established protocol for treatment of companies that allowed vulnerabilities to expose sensitive information, Randall said a company such as Equifax has in the wake of its breach showed “a lack of a moral compass.”
She alluded to those 143 million people affected by the breach allegedly having to agree to fine print binding them to mandatory arbitration when they went to sign up for a monitoring service Equifax offered as part of its response to the incident.
It led to some controversy, with the company eventually stating that the arbitration clause didn’t apply to the breach. It also said it would allow people to opt out of the provision, but only if notified by mail within 30 days of enrolling in the service.
“It’s just one of the ways that this response was handled horribly,” she said. “As far as where this is going to take us, I expect it may inspire change in both public policy and law, and hopefully in a way that’s more uniform than what’s out there now.”
New York Gov. Andrew Cuomo, in a reaction to the Equifax incident, premised new regulations on credit reporting agencies on the sort that banks and insurances companies are subjected to through the New York State Department of Financial Services, which has added compliance requirements for cybersecurity more robust than anywhere else in the country.
Randall anticipates more sweeping changes are on the horizon, possibly with New York’s policy being used as a model.
“I also found it interesting that the FTC usually doesn’t comment on these matters, but they did in this Equifax breach,” she said. “They’re undertaking an active investigation, which once again could cause a robust response in Washington.”
David Opderbeck and John Wolak, cybersecurity experts who both have roles in the Business and Commercial Litigation department of Gibbons P.C., also expect to see an increase of regulatory involvement in this area.
For the time being, regulations involving data protection comes to bear only on certain industries — such as health care providers tasked with protecting patient information — and in certain situations.
“But there’s no general federal cybersecurity framework,” Opderbeck said. “So, it’s a classic thing lawyers talk about, the patchwork of regulations.”
Opderbeck added that there has been also no detection of a slowdown of regulatory bodies investigating this issue under the new administration.
“Data privacy is really an apolitical issue, not a Democrat or Republican issue,” Wolak said. “It’s also a national if not a global issue. And recent experience has demonstrated that vulnerability knows no bounds.”
Perhaps more of a stumbling block is the area of case law regarding data breaches, even if recent developments are being seen there, too. Opderbeck summarized the complications involved on the legal side of this issue:
“In order to get into court, there has to be live controversy with past or imminent harm to someone. The main harm here is people’s information was snatched. And we have to look at how a consumer is really harmed by that, because there may not be out-of-pocket loss that would count as loss in a legal sense.”
That demonstrable injury is what courts are currently looking for, Wolak said, with recent legal cases seeking to enforce a standard of loss as more than something speculative.
Michael O’Mullan, a partner at Riker Danzig Scherer Hyland & Perretti LLP, said there’s no more uniform approach in the courts to addressing the issue of cybersecurity than there is in the country’s regulatory framework — which hasn’t changed since his firm’s expertise was called on around 2011 after a significant attack on a major multinational electronics manufacturer.
“But there are certain standards that seem to apply nonetheless,” he said. “We’ve all seen what happens when CEOs gets dragged in front of Congress — they’re tested on what steps a company took to secure its resources.”
Brian O’Donnell, another of the firm’s partners, added that there’s another way that the policies surrounding cybersecurity are becoming more uniform in a sense. It has to do with the data protection rules that have been formulated in places such as the European Union, where a reform initiative has put broad-based protections on private information.
“When companies, especially multinationals, go through steps to develop a cybersecurity plan, they’re going to do it from a global perspective,” O’Donnell said.
O’Donnell expects that the U.S. itself will slowly come to develop a more cohesive framework for dealing with these issues.
“Hackers are going to keep finding ways to get around technology, because it’s profitable,” O’Donnell said.
Law firms face data breaches, too
Douglas Zeltt, office managing partner at Fox Rothschild LLP, pointed out the obvious: that a law firm itself has no immunity to data breaches.
“The notion of a data breach is paramount on everyone’s mind in the business of lawyering; many of the issues we face in our own law business are centered around privacy and technology,” he said. “And, like most businesses, we’re dealing with it internally as a firm, too.”
In fact, the legal sector is trusted with some of the most sensitive information of any industry, even if it’s not the same sort of consumer data a credit reporting agency like Equifax would have.
Brian O’Donnell, a partner at Riker Danzig Scherer Hyland & Perretti LLP, explained that a law firm such as his does its best to protect that data … not that it has a choice in the matter.
“It’s something we would do anyways because we value clients, but in addition to that, we have clients in the financial services industry … so we frequently have to undergo compliance testing with our client’s vendors to show that we’re providing same level of security to data as they are in their offices,” he said.
A variety of third-party security vendors test the law firm’s systems to have it match the cyberpolicies of the large clients the firm works with.
That old adage of practicing what you preach also comes to mind.
“It’s something we have an ethical obligation to do,” said Michael O’Mullan, who works alongside O’Donnell. “We’ve got to look to our own security and do the same things we (advocate) to other businesses.”