by Elena A. Lovoy and Peter L. Cockrell
The year 2017 may have been the tipping point in data breach incidents. In September 2017, Equifax Inc. disclosed a breach exposing the names, Social Security numbers, birth dates, home addresses, and driver’s license numbers of more than 140 million consumers. Two months later, Uber Technologies Inc. disclosed it had paid cybercriminals a $100,000 ransom to destroy data they stole in 2016, including the telephone numbers, email addresses, and names of 57 million Uber drivers and riders. While Equifax and Uber were stealing headlines, Anthem, Inc. reached a record $115-million class action settlement stemming from a 2015 breach that compromised the data of 80 million consumers.
These incidents will likely lead to increased data security and breach notification requirements in 2018, as well as heightened expectations from consumers, lawmakers, and others for companies’ cybersecurity programs and data breach response plans. Indeed, Alabama may soon become the only remaining state without a data breach notification law. Alabama’s outlier status does not mean that Alabama financial institutions are out of the spotlight. Alabama financial institutions can learn valuable lessons from other companies that have successfully or unsuccessfully navigated cybersecurity incidents.
State Developments
South Dakota
Alabama and South Dakota are the only states that have not adopted a data breach notification law, but that may change in 2018. South Dakota Senate Bill No. 62, if passed, would establish a data breach notification law in the state with requirements similar to those currently found in most other states.
North Carolina
The North Carolina Attorney General has proposed legislation to amend the state’s existing data breach notification law. Although the legislation has not yet been introduced in the state legislature, a summary of the proposal has been released. If the proposed changes are adopted, including one requiring that companies notify affected individuals within 15 days after discovering a breach, North Carolina would have one of the toughest state data breach notification laws in the country. In many circumstances, such a short notification deadline will be difficult for many companies to meet. The proposal would also expand the definition of “breach” to include ransomware attacks.
Federal Developments
The recent breaches may also finally spur developments at the federal level. The Cyber Breach Notification Act of 2017 was introduced in the House in October 2017 and the Data Security and Breach Notification Act was introduced in the Senate in November 2017. Both proposals would establish a nationwide standard for data breach notifications that would preempt the current patchwork of state breach notification laws.
Case Law Developments
Legislators and regulators have not monopolized the spotlight in the data breach landscape. Two important cases in 2017 addressed the application of the attorney-client privilege and work-product protections to a company’s data breach response plans. Federal courts in Oregon and California reached different holdings under similar circumstances regarding whether the companies would be required to produce reports created by third-party computer forensic firms. The California court found the protections applied when the forensic firm was hired by outside counsel in response to a data breach. However, when the company hired the forensic firm directly, the Oregon court found the protections did not apply. Considering the high costs of litigation stemming from data breaches, how courts apply attorney-client and work product protections and how companies respond to these breaches will continue to be crucial.
Predictions for 2018
Lawmakers seldom relinquish the spotlight and the opportunity to push for reform, so we are likely to see new data breach requirements adopted in 2018. The New York Department of Financial Services’ cybersecurity regulation became effective in March 2017. Other state regulators considering comprehensive cybersecurity regulations will likely refer to the New York regulation. Although meeting this high bar is not yet required for all companies, some of the requirements under the regulation are increasingly being viewed as best practices. Companies that market to or process the information of European Union data subjects must prepare for the May 25, 2018 effective date of the EU’s General Data Protection Regulation. As the requirements continue to change, companies must ensure that they properly balance required consumer protections and the realities of responding to cyber incidents.
Elena A. Lovoy is of counsel in the Birmingham office of McGlinchey Stafford and concentrates her practice in banking, mortgage lending and servicing and other consumer financial services, and data privacy issues. Peter Cockrell is an associate in the Washington, D.C. office of McGlinchey Stafford and advises financial institutions and service providers on financial services regulatory and compliance matters at both the federal and state levels.
