Litigation Associate Craig Hoffman’s remarks concerning legal and regulatory requirements for data security breaches appeared in the October 2011 issue of Columbus C.E.O. (“Cyber Security”).
The article examines the costly effects many companies incur after a data breach. Because data breaches continue to occur and CGL policies generally exclude coverage for data breaches, more businesses are protecting themselves with cyber liability policies.
The article explains that legal and regulatory requirements in particular need to be considered in the event of a data breach. Currently, federal law only requires healthcare providers and financial institutions to notify victims of data security breaches, but new legislation may change that. “Several current proposals would broaden the federal definition of personal information and the notification requirements,” says Hoffman.
Ohio is among 46 states with their own notification procedures. Its law applies to individuals, businesses and not-for-profit entities that conduct business in the state and collect or maintain electronic personal identifiable information (PII) about Ohio residents. “If the owner of PII of an Ohio resident learns that their electronic information was accessed without permission, they must notify the resident within 45 days of the breach,” Hoffman says.
Yet, individual Ohioans can’t file a suit against organizations that do not properly notify them if their PII is breached. “The law provides no private right to sue. It only allows the state attorney general to sue,” Hoffman says.
Individuals do have legal recourse, though, through class action lawsuits. “In large national breaches, class actions are filed almost immediately. But almost 100 percent of them are thrown out because it’s very difficult to show the direct harm. To have standing, you have to show direct harm and actual damages, and then prove it was because of that specific data breach,” Hoffman says. Some breaches, however, require no notification. “Determine what the hacker had access to. Did they take any information out? That matters because of the ‘risk of harm’ trigger. If the hacker got in, but didn’t take anything out, there’s no risk of harm to the consumer and so notification is not required,” Hoffman says. “Often, though, forensic experts can confirm what was taken. It’s best to err on the side of caution because the penalties are not to be ignored.”
In fact, Ohio imposes a daily noncompliance fine. “The fine is $1,000 per day for the first 60 days you’re found not to be in compliance. After 60 days, it’s $5,000 per day. After 90 days, it’s $10,000 per day. The fines apply only if the attorney general finds reckless or intentional failure to comply,” Hoffman says.