A few years ago, a Chicago-based medical records company called Allscripts was the victim of a malware attack. Hackers were able to break into the company’s computer systems and encrypt files, making it impossible to read the patient records stored on the company’s systems. The hackers demanded payment in bitcoin to release the files.
Allscripts decided not to pay the ransom. While their IT team worked to restore records from their backup system, about 1,500 clients were unable to access files. Even though the company was able to restore the records, one of the affected clients, Surfside Non-Surgical Orthopedics in Boynton Beach, sued Allscripts in federal court. Surfside accused Allscripts of not doing enough to prevent the attack or lessen its impact and sued on behalf of all affected clients for “significant business interruption and disruption and lost revenues.”
RELATED: Take the Free Online Cybersecurity Risk Assessment
Unfortunately, such lawsuits aren’t uncommon. There are many hacker techniques to watch for, and when a cybercriminal breaches a company’s IT systems and steals customer data, the legal ramifications can be felt for a very long time. Civil liability following a cyberattack can include monetary compensation for economic losses incurred by your clients and customers.
But should big enterprises be the only ones to worry about it? Not according to a recent article in Forbes:
Cybersecurity statistics can be scary. The good news is that there are legal protections for companies that are the victims of cybercrime.
RELATED: Actionable Steps to Help Secure Your Data — Cybersecurity Handbook
Here is a summary of Midwest state data protection and data breach laws in our home bases of:
Here is a summary of state data protection and data breach laws in our home bases of Ohio, Wisconsin, Illinois and Indiana.
If a business that operates in Wisconsin experiences a data breach, it must notify the individuals whose personal information was accessed no later than 45 days following the date of discovery (unless the breach did not create a material risk of identity theft or fraud).
Financial institutions, medical businesses and tax preparation businesses — or anyone under contract with such businesses — must erase or make such personal information unreadable before disposing of it. Individuals may sue businesses for damages resulting from the leak of personal information including medical records, bank accounts and tax returns. Businesses may be fined up to $1,000 per violation.
In Illinois, the Personal Information Protection Act encourages businesses to encrypt or redact personal information stored on their computers. Under the Act, businesses are required to “implement and maintain reasonable security measures” to protect personal information from being breached. However, there have not been any cases interpreting what that standard really means.
Illinois also put privacy rules in place for biometric information. The Biometric Information Privacy Act requires businesses to protect biometric information in the same manner as it would for confidential and sensitive information. The Illinois Consumer Fraud and Deceptive Business Practices Act allows for civil penalties of up to $50,000 for each offense, with additional data breach penalties for certain situations.
Businesses in Indiana are required to implement and maintain reasonable procedures to protect personal information from unlawful use or disclosure. An intentional violation could result in a civil penalty of up to $150,000 per violation. In the event of a data breach, Indiana requires businesses that own or license personal information to notify individuals when their unencrypted personal information has, or may have been, accessed as a result of the data breach.
The Ohio Data Protection Act went into effect in early 2019 and encourages businesses to put cybersecurity technology and policies in place by providing safe harbor protections. In other words, the law provides a legal defense if a business can show that it implemented reasonable information policies and security controls to protect customer data.
Ohio has a safe harbor law to protect companies from civil litigation. Under the law, damages cannot be imposed if a state court finds your company had a reasonable cybersecurity plan when a breach occurred and followed it to the best of your ability. Or, as the legislation puts it, the law is “an incentive to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”
California and Colorado have similar laws but impose punitive measures if a business fails to put reasonable controls in place. Ohio is the first such law to reward a company or organization for taking steps to protect customer data. The obvious question is, what constitutes a reasonable and enforceable cybersecurity policy? The law provides several well-known and established best practice guidelines, beginning with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The United States does not have one comprehensive law regulating the protection of personal information. However, many industries are subject to specific data protection regulations, such as the Financial Modernization Act (The Gramm-Leach-Bliley Act), which requires financial institutions to protect the confidentiality of its customers’ personal information. Financial institutions must put in safeguards to protect against data breaches and anticipated threats or hazards to the security of customer information.
In addition, the Federal Trade Commission Act prohibits unfair or deceptive practices in the marketplace. The FTC can take enforcement actions against companies that fail to comply with their own privacy policies and for the unauthorized disclosure of personal data, often resulting in multi-million-dollar fines. General Data Protection Regulation (GDPR) fines up to $10 million euros also need to be considered for those conducting business internationally.
So, can your business be sued for a data breach? Yes. If your business is hacked, the loss of revenue and harm to your reputation may be just the beginning of your troubles.
Following an embarrassing and public cybersecurity breach, Capital One agreed to pay $190 million for a 2019 data breach. Morgan Stanley settled at $60 million to pay for its data security breach. Healthcare giant Anthem was fined $16 million in addition to the $115 million it paid out to settle the class-action data breach lawsuit.
Some insurance carriers provide cyber insurance to help protect your business against losses, but it’s important to understand exactly what an insurance policy will cover, such as data held by vendors and whether the insurer will cover costs for legal advice or defense in the event of a lawsuit. Even with insurance, it’s critical to take every precaution possible to protect your organization from a breach in the first place.
A detailed cybersecurity policy and up-to-date IT protocols can protect you from an attack and the legal troubles that come with it. And you don’t have to be a global enterprise to achieve world-class security. With Elevity’s proactive cybersecurity solutions, even small businesses can leverage the latest technologies and 24/7 protection. Our experts will perform a full security sweep to identify threats and weaknesses and develop a solution.
Not sure how your data security rates? Take our free online risk assessment to see where vulnerabilities may lie. Then, contact the cybersecurity experts at Elevity about our advanced services. It could be the difference between surviving a cyberattack or losing everything in a protracted, costly litigation.
