It’s no secret that data breach is becoming more and more common as sophisticated hackers penetrate corporate and governmental networks at what seems to be a breakneck pace. No business or institution with an internet connection is immune, with the frequency and severity of such attacks increasing. Target, Anthem, Sony and JPMorgan Chase have all been the targets of massive, and very public, data breaches in the last few years. The recent U.S. Office of Personnel Management data breach may have resulted in the theft of personal information of every single federal employee.
All entities, public and private, should be aware of the dangers of these types of attacks and the liability they can incur with respect to their security protocol and/or their response to a breach. The Ponemon Institute, a research center that studies privacy and data protection, recently released the 2015 Cost of Data Breach Study: Global Analysis, which found that the average total cost of a data breach for a business is $3.79 million, a 23 percent increase since 2013. A 2014 study by the Center for Strategic and International Studies determined that the global overall cost of cybercrime was between $375-575 billion, and the United States’ share of that figure exceeded more than half a percent of its gross domestic product.
Not only can the failure to protect sensitive information expose entities to suit by those affected, federal and state laws can levy penalties and sanctions for failure to adequately prevent breaches of private data. For instance, there are stringent technical standards and potentially drastic penalties for healthcare entities that store electronic patient health records under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Those patient records are subject to the HIPAA Security Rule, which provides specific notice provisions in the event of a data breach and significant monetary penalties for compliance failures. Financial penalties can be as high as $50,000 per HIPAA violation if the violation is due to willful neglect and not corrected within thirty days, and capped at $1.5 million annually. These provisions apply not only to healthcare entities, but to their business associates as well, as business associates may also receive, handle and transmit protected health information.
The Gramm-Leach-Bliley Act (“GLBA”) applies to financial institutions in the regulation of personal information, prescribing that each agency develop a set of administrative, technical and physical safeguards for the protection of private data. This law doesn’t go as far as HIPAA in specifying standards, but the penalties are just as severe, if not more so. Financial institutions can be fined up to $100,000 for each violation, while officers and directors can be personally liable and fined up to $10,000 for each violation. Knowing and intentional violations may come with a criminal penalty of up to five years. GLBA violators may be subject to double fines and up to ten years in prison if the violations occurred alongside a violation in another federal law or if the violations were part of a pattern of illegal activity that involved more than $100,000 in a year.
More federal liability could be forthcoming as well, as Congress wrestles with how to handle data breach and personal privacy when corporations hold sensitive information. The Personal Data Protection and Breach Accountability Act of 2014 (S.1995), which failed to pass out of the Senate last year, would have imposed requirements similar to those in HIPAA and GLBA to all business entities conducting interstate commerce and handling sensitive personally identifiable information. These provisions also would require notifications of data breach and penalties of up to $200,000 per violation.
With the looming menace of cyber attack and data breach on one side and potential federal and state liability on the other, business entities find themselves in a very precarious situation. Simple transactions may someday subject companies to significant liability.
Business entities are not without resources, however. The U.S. Dept. of Commerce’s National Institute of Standards and Technology (“NIST”) in 2014 released its Framework for Improving Critical Infrastructure Cybersecurity (“Framework”) for organizations, regulators and customers to create, assess and improve their cybersecurity. Created as the result of an executive order, the Framework consists of a set of guidance designed to address and manage cyber risk in a cost-effective way.
The Framework has three parts that fit together to complement an organization’s risk management process for cybersecurity. The first component, the Framework Core, provides a set of activities and desirable outcomes based on industry standards and practices that are common across sectors of critical infrastructure. This component consists of an overarching, high-level look at the entire lifecycle based on five specific functions of cybersecurity: Identify, Protect, Detect, Respond, Recover. Each of those five functions then subdivides into categories and subcategories, finally ending in informative references to standards, guidelines and practices that address each specific area. In a nutshell, this component drills down from broad categories until there is enough specificity to provide some form of practical guidance or set of standards.
Framework Implementation Tiers, the second component of the Framework, show where an organization is with respect to managing cybersecurity risk. These tiers categorize an organization based on the extent to which its cybersecurity risk management practices adhere to the Framework. The four tiers show a progression as an organization becomes more risk-informed and sophisticated in its response to threats. Organizations should determine their desired tier based on organizational goals, feasibility and reduction of cybersecurity risk to critical assets. The tiers, however, are for classification of goals, not necessarily steps that organizations must achieve. Progression to a higher tier is only encouraged when an organization is Tier 1 or if moving to a higher tier would be cost effective while reducing risk.
The final component of the framework, the Framework Profile, is where organizations assess and understand the current state of specific cybersecurity activities and plan to meet goals. Organizations start by creating a Current Profile, which indicates the current cybersecurity outcomes being achieved. The Target Profile is the next step in the process, showing the outcomes the organization will need to achieve to meet desired goals. The profiles are then used to build a roadmap for reducing cybersecurity risk that aligns with organizational goals, regulations and best practices. Comparison of the profiles can also reveal gaps that must be addressed by the roadmap.
Overall, the Framework stresses the importance of decision-making and implementation at every level of the organization, the executive level, the business/process level and the implementation level. The NIST guidance on the Framework helpfully provides steps for organizations to implement the framework.
One of the benefits of implementing the Framework is that it provides proof that an organization used well-established industry standards in the design and implementation of its cybersecurity system. This could forestall determinations that the organization acted negligently with regard to the protection of private data.
The Framework may sound overly technical, but it is a consistent and structural response to a sophisticated and growing threat - a threat that businesses may ignore to their detriment. Financial institutions and healthcare entities (and their business associates) are already subject to enhanced penalties, sanctions and breach notification provisions, and it may be a matter of time before all other business entities are as well. Enhanced cybersecurity is now a cost of doing business.
 42 USC § 1320d-5