The recent global cyber-attack emphasizes the growing risk of cyber-attacks around the world and the issues facing the risk and legal community. Not only do cyber-attacks threaten businesses and organizations on a daily basis but the addition of ransomware to the mix underlies the threats facing organizations, businesses and governments on a worldwide basis. However, companies and organizations need to realize that it’s not just about cyber-security vulnerabilities they should be concerned with. Data privacy issues and IoT applications matter too.
Data privacy, though not always about cyber-security, involves cyber-security when personal data is hacked. IoT also concerns itself with cyber-security when it is hacked, allowing the unauthorized access to data or unauthorized use of products connected by IoT. In fact, companies face unheard of liabilities now due to IoT breaches. It is now time that the risk management industry as well as legal community realize the impact that cyber-attacks have not only upon data privacy concerns but IoT based products too.
1. Cyber-Security Concerns
As cyber-security has been placed on the front burner due to the global hack as well as recent credit card hacks, etc., more and more emphasis has been placed on data protection by various authorities. For instance, the European Union or EU has passed the General Data Protection Regulation (GDPR) which comes into effect in 2018. Many Asian jurisdictions, such as Korea, Singapore and Hong Kong have also updated their data privacy laws and regulations. The US however, has left cyber-security standards for data protection less clear as common law negligence, HIPAA, Gramm-Leach -Bliley and FTC regulations are all used in a haphazard way to safeguard personal data and protect people from cyber-attacks.
Unlike the US with its many fractured laws, the GDPR will be used as the definitive source of data privacy law in the EU. The GDPR will set out specific methods that companies will be required to use to secure personal data and requires companies to evaluate how much cyber security they need to safeguard such data. In essence, companies falling under the jurisdiction of the GDPR as well as other jurisdictions will have to carefully consider what data should be protected and even collected and what reasonable cyber-security efforts should be undertaken to protect data.
2. Data Privacy Concerns
It has become obvious to many, that despite best efforts. companies may still face a hack and suffer and suffer a breach. Personal data may be still stolen. Some jurisdictions have data privacy laws in place that mandate the disclosure of the breach to authorities. Companies must also consider if and when to report the breach and/or unauthorized access of personal data to investors and even the media or public.
Under the GDPR, companies that have suffered a hack, must report a personal data breach if the breach is likely to have resulted in a risk to the rights and freedoms of natural persons. Personal notification may be necessary too though it can be avoided if the company can show that it took measures (such as encryption) to prevent the personal data from being read by unauthorized persons.
In the US, no uniform federal law or statute mandates or requires a notification to authorities of a data breach but a number of states have data notification laws that cover certain kinds of data such as social security numbers and credit card information, etc. The following summarizes the elements common to these statues and some of the variations from state to state, and emphasizes the need for comprehensive company-wide data protection and management programs.
Personal Information: companies with records of consumers’ identifying information must take steps to safeguard the information or be exposed to liability.
FL, CA, CT, DE, IL, LA, MN, MT, NE, NJ, RI, TN, TX, WA: first name or initial + last name + Social Security or Driver’s License or State ID or Bank Account/Credit/Debit Card Number with access code
AK: adds medical information
GA, ME: any information that puts individual at risk for ID theft
ND: adds Employer ID, DOB, mother’s maiden name, digital signature
NY: Any identifying information together with ID/Credit Card number and access code
HI, MA, WI: include written as well as electronic data
Breach of the Security System: any suspected unauthorized acquisition of compromising personal data mandates investigation and may require notification of affected individuals
CA, DC and 19 states: “unlawful and unauthorized acquisition” of even a small amount of data that “materially compromises, the security, confidentiality, or integrity of personal information.”
AZ, ID, NE, OR, TN, FL: any breach that “materially” compromises personal info
CT, IN, ND: any “unauthorized access to” or “acquisition of” computerized data
LA, HI, MA, MT, NY, NC, OH, PA, WY: “unauthorized acquisition” of data that “creates a substantial risk of identity theft”
NY: lists specific factors to determine if personal info has been acquired by unauthorized persons, such as a lost computer
Investigating the Data Breach: the company must determine if a breach has occurred
FL, LA, AK, OR: Business must document “appropriate” investigation to “reasonably” determine that no breach occurred; Documents must be maintained for 5 years; Failure to document or to maintain documentation: $50,000
Ten states: require a “reasonable investigation” to determine misuse of personal info
Providing Notice: if the company cannot reasonably determine that no harm has occurred, it must notify the affected individuals
FL, similar in 22 states without specific time frame: “notification shall be made without delay, consistent with the legitimate needs of law enforcement . . . . [M]ust be made no later than 45 days following the determination of the breach”
28 states: notice in “the most expedient time possible,” and “without unreasonable delay”
3. IoT Issues and Concerns
In the US, regulators have noted security concerns that consumers face when using IoT devices. Such security concerns include unauthorized access and misuse of personal data, safety risk s and even facilitating cyber-attacks on other systems. This is because IoT devices connect to the internet via sensors which send environmental and activity information to data storage centers that in turn allow for and provide analytical feedback and control. Basically, IoT devices are consumer oriented or industrial oriented devices which have been turned into smart devices allowing for information gathering and management of such devices via software, etc. Consider this- even cars are now IoT devices.
Though the majority of people have a favorable impression of IoT devices, manufacturers of such products are not discussing the risks inherent in such technology. It has recently been estimated that almost 75% of all IoT devices are subject to attack. Though the number of devices that could be hacked is astounding, the IT industry is not warning society in general about the potential dangers of using such devices. To make matters worse, those involved in the risk management industry are not raising the alarm that they should, whether for lack of understanding or not, as IoT dangers are about to collide with the global desire for the protection and safeguarding of personal data.
It is therefore urgent that society as well as corporations and organizations involved with data privacy as well as the IoT have broad based discussions on the benefits and risks of IoT devices. Risk managers, CIOs, software engineers, in-house counsel and BOD members all must take the data privacy risks inherent in IoT technologies seriously and must take steps to minimize the risks posed by cyber-attacks and the misuse of data.
Recommendations