by Susan Kristoph;
contribution by Kamil Harris
& Liu Yang (刘洋). Feb 29, 2018
-- WEBSITES , APPS & PLATFORMS --
DATA BREACHES & BUSINESSES OF ALL SHAPES & SIZES -- ARE YOU PREPARED?
DATA BREACHES & BUSINESSES OF ALL SHAPES & SIZES -- ARE YOU PREPARED?
" Bottom line, it doesn’t matter if you “only” sell cupcakes, or if you “only” build a tiny little e-commerce website. If you’re involved at any point in the collection or storage of consumer data, you need to take seriously the “data” and the possibilities of “breach”.
Unless you’ve been away on a deserted island, you’ve heard all about data breaches over the last few years.
Let’s first clear up “data breach”. There are a lot of definitions for it used by Court’s, Federal Agencies, Congress, and States governments. But here’s what you need to know, know well, and believe deeply. A data breach is when data, or access to it, ends up in the hands of, is available to, or under the control of an unintended person or entity. If someone has access to data that they shouldn’t, there’s been a breach.
While traditionally, data breaches are associated with large companies and large amounts of very personal information, small businesses are named in lawsuits over data breaches too; over 200 such cases in 2017.
Yes, sometimes these are because of hacked networks, but most data breaches do not involve servers being infiltrated. MOST data breaches are caused by simple circumstances like a former employee having access to data they no longer should, or failures in simple updates, or really bad password selection and protection.
Most of what we hear about are “consumer” financial and health data breaches, and 2017 saw quite a few high-profile breaches that impacted millions of us. Equifax being one such notable 2017 breach, but still dwarfed by Yahoo’s 2014 breach impacting over 4 billion people globally.
And while 2017 also saw two proposed Senate Bills and three proposed House Resolutions to address U.S. operating industry’s response to data breaches, nothing came of that proposed legislation.
However, in just recent weeks, our U.S. Congress has held several media-attention garnering hearings about data breaches. Statements, questions, and posturing suggest that a single National standard for reporting data breaches is likely.
But here’s the interesting / scary / noteworthy part – and it will take me just a few to get us there – businesses that collect data on their websites, use merchant systems to collect payments, and the web platforms that designers & developers build to collect or store data will likely be included to a greater degree in future data breach lawsuits, and have to pay much more to insure against data breach liability.
In a recent Forbes article, U.S. PIRG Consumer Program Director Ed Mierzwinski is cited as having tweeted, “that he is betting any breach legislation coming out of the Financial Services Committee will serve companies, not people.” And that’s what many consumer privacy “experts”, and even big-business insiders have been saying for some time.
But we don’t believe that’s entirely accurate, or at least, we believe it’s greatly oversimplified.
First, while we do believe that Federal data breach legislation may serve “larger” companies over smaller companies, we believe “larger” and “smaller” are terms that will be replaced on the legislative stage and legal battlefield with “more technically adept” and “less technically adept”, or some such similar wording.
And that wording and appreciation is likely to shift the onus of data protection and responsibility for it farther down the pecking order, if not almost certainly laterally.
Again, we don’t believe that will transpire from legislation. We believe the slew of data breach Court’s decisions are what will truly impact upon who has the duty of care, what the duty of care will be, and how duty of care is examined when determining who is liable to Plaintiffs following a data breach and the resulting lawsuits.
2017 saw no less than nine Federal cases wherein “standing” to sue following a data breach was decided upon by Courts. An oversimplified way to define standing is whether or not there is a legally recognizable reason that a person, or class of people, may prosecute a lawsuit.
Prior to 2017 – with exception to re. PF Changs & re. Neiman Marcus -- Courts had generally opined that Plaintiff’s had not been irreparably harmed by having their data stolen. But in 2017, Courts – all be they split -- stated that Plaintiff’s who have had their personal information stolen had standing, even if only from the fear of future injury, not just the potential for injury. No, I’m not going to cite the case; Google them.
Those plaintiff-positive cases -- that will likely be challenged in SCOTUS filings -- clear the steepest hurdle for future data breach lawsuits; which means there will be many more.
We also believe that Congress, and many U.S.-based businesses outside the Silicon Valley club, aren’t paying quite enough attention to what is going on in the European Union and elsewhere in the world as pertains to consumer (i.e. public) expectations surrounding how their personal information is treated.
Why do we believe this?
First, while we are a U.S. based Agency, we operate internationally, and so we simply must pay more attention than Agencies only operating in the U.S.
Next, we’ve watched U.S. data breach lawsuits carefully. And, in case after case, we were all left with little to go on in terms of clear precedent, but PLENTY of terminology relied upon and cited in Judge’s/Court’s opinions.
In reading case documents (we access them, when available, from PACER), and reading articles written about those cases, the terms about the data breach and standing, the general security measures involved, and standards of duty of care all come down to some pretty simple language and questions.
Terms like: server; encryption; customer security requirements; originating website; web designer; web developer; and, expertise of all those involved.
Question like: who “collected the customer data”; who “[everyone that] handled the customer data”; who determined “[all the] locations where customer data is stored”; and, what are the “levels of expertise of those who created the point of data collection”?
When attorney’s and judges use base-level terms when discussing liability, and ask questions about base-level design, protections, and involvement, they aren’t pointing an examining finger at the CIO of multi-million dollar corporation.
In the European Union and elsewhere, companies handling data (like Google and Facebook, but much smaller ones too) have been hammered with duty of care impositions/standards, and U.S. customers and U.S. lawmakers are watching.
Since 2015, we have seen our insurance coverage related to data breaches increase three-fold (no, we’ve NEVER been sued, or in any way entangled in a data breach incident). We have also seen feedback from contract language consults change dramatically. And, contracts that we present to large companies have been met with new opposition to language surrounding liability and indemnification related to data breach.
It’s typical that deep pockets get sued first, but deep pockets will go after anyone that causes them to be sued. And what is obvious is that large companies, and the companies that insure them, are shielding themselves from inevitable liability via contract language and direct charges, and probably rightly so.
In most of the data breach cases from 2013 forward, the company that was sued first (i.e. where the point of sale occurred, or the company that provided the service [health ins ref]) had the deepest pockets. But, in all but a few of those cases, the web platform sitting on the server where the intrusion occurred was designed and developed by a third-party, the server was a third-party server, and there was a third-party merchant system, or a third-party CMS.
And as mentioned above, 2017 saw over 200 cases filed in States courts against small business owners, web platform developers, and content hosts.
So, what does all of this mean to businesses of all shapes and sizes that collect, store, or handle consumer data, or that design and develop websites or platforms that collect and/or store consumer data?
First, there’s applicability to business of ALL SHAPES AND SIZES! From about 2013 through 2017 (the years we looked closely at), most data breach suits were NOT class action, they never ended up in Federal Court, and you never read about them in the news. These suits were filed against dog groomers, florists, gas stations, and small restaurants.
“I’m a small business owner, and I want my web products to keep my customer’s information safe! How do I go about that?” First, don’t tell your developer that you KNOW what requirements are necessary to protect your customers and yourself from a data breach. Make them tell you! If they cannot answer you satisfactorily, and in writing, then they are not the right company for you. Also, make sure they provide proof that they are insured for data breach liability. If they cannot provide such proof, they are not a serious web products developer, and you shouldn’t trust them.
But if you are a small business owner, and your web products designer/developer tells you that your host company’s server or the commerce platform you want to use is insufficient – BELIEVE THEM!
You should also regularly engage your web master about threats, about security measures, about passwords, about who has access to customer data, and why? If you lead from the front on data security, all those around you will take it seriously too.
If you are a web designer & developer, then product evaluations, cores competency, structure of plugins/mods/elements, and laser focus on contract language are all areas to improve upon. If you don’t have insurance, well, shame on you.
Bottom line, it doesn’t matter if you “only” sell cupcakes, or if you “only” build a tiny little e-commerce website. If you’re involved at any point in the collection or storage of consumer data, you need to take seriously the “data” and the possibilities of “breach”.