FOUR WAYS TO LIMIT LIABILITY FROM A CYBER SECURITY BREACH

On November 24, 2014, Sony Pictures Entertainment became aware that its company's computer systems had been hacked by a group known as the "Guardians of Peace." In the following weeks, Sony had five of its movies (four of which had not yet been released in theaters) uploaded to file-sharing websites, personal emails from company executives criticizing public figures published, and the confidential medical records of employees released, Additionally, the company received a terror threat surrounding the premiere of The Interview, starring James Franco and Seth Rogen. 

Subsequently, Sony cancelled the release of The Interview. (At the time of this writing, the hack has been linked to North Korea, whose government disapproved of the films ending). The full extent of the confidential and personal information obtained about Sony employees is unknown. A full timeline of the hack's aftermath can be found here.

Sony Pictures Entertainment's security breach highlights the increasing importance of a business' cyber security in today's world. Such a cyber attack exposes a business to immense liability concerns. In fact, a class action lawsuit has already been filed on behalf of 15,000 Sony employees who had private information (such as social security numbers) released. A particularly scathing IT assessment conducted by Sony several months prior to the hacking is likely to play a central role in that litigation, as it is arguably evidence of the company's knowledge of cyber security weaknesses. So what can businesses do to protect themselves against some of the legal backlash from such attacks?

1. Have a cyber security system- It goes without saying, but having some cyber security system in place is better than no system at all. Ideally, the system's strength will be directly proportionate to the sensitivity of the information the business stores. That is why certain industries (like the financial and medical industries) have statutory security  measures which must be complied with. Simply put, Congress did not want to allow businesses in those industries to cut corners, as complex cyber security systems can be expensive. Aside from those industries, most businesses hold sensitive information such as credit card data which must be secured. Last year, Target was hacked and some 40,000,000 customers' credit card information were stolen. By having a system in place in the event of a security breach and subsequent lawsuit, a business can argue that it took reasonably necessary measures to secure its sensitive data in order to limit or avoid liability. 
2. Routinely test the cyber security system- This goes hand in hand with the first point, because what good is having a cyber security system if it becomes ineffective. Unfortunately, it can happen. As hardware and software are updated, as they should be regularly, vulnerabilities can become exposed which were once previously hidden. Therefore, its imperative for a business to test its cyber security system regularly. Failure to do so may constitute evidence of not taking the reasonably necessary measures to protect sensitive information.
3. Determine the length of time that sensitive data will be stored- Sensitive data doesn't need to be held on to forever.  Some industries, particularly finance, are regulated in terms of how long they must retain specific data. Understandably, many businesses  in other industries retain some data for client convenience (i.e. saved credit card information). However, any stored sensitive data is also a potential liability. A business should weigh its liability risk for retaining certain data with the data's necessity. 
4. Disclose the breach- The vast majority of states require that a business disclose a security breach that involves the loss of personally identifiable information (social security numbers, drivers license info, etc.). From a legal standpoint, once a business has such a security breach, one of the worst things it can do is not disclose the breach to the mandated entity/agency/persons. This may include disclosure to more than just the persons potentially affected by the breach. By failing to disclose the breach, a business is statutorily incurring liability in addition to its existing and potentially large amount of liability resulting from the breach. Take a look at this site for links to the 47 State security breach disclosure laws.

Following these four suggestions will aid a business in limiting its liability should a security breach occur. Hopefully, your business is never breached like Sony Pictures Entertainment was.

---