6-28-17 CHECKLIST TO AVOID LIABILITY IN THE EVENT OF A CYBER ATTACK

Posted on June 27, 2017

The digital age presents new challenges and threats for businesses that increasingly rely on new technologies and utilize electronic data for the storage of non-public personal information.  One of the most significant developments has been the rise of cybercriminals seeking to exploit technological vulnerabilities of businesses to gain unauthorized access to credit card information, social security numbers, passwords, and other critical, non-public consumer and business information.

Unauthorized access to this sensitive information can result in significant financial losses for consumers and businesses.  The increased prevalence of cybercriminal activity has moved cybersecurity to the forefront of regulatory and consumer protection enforcement actions by government entities.  State regulatory bodies have begun to promulgate laws and other rules to address deficiencies in business cybersecurity.  For instance, in early 2017, the New York State Department of Financial Services released its final rule on cybersecurity, requiring all entities licensed under the Banking Law, Insurance Law and the Financial Services Law to develop information security policies and procedures.[1]

A failure to protect against cyber criminals has significant business risks.  For example, in connection with the massive data breach in 2013 that affected millions of credit and debit card information, Target Corporation entered into a settlement agreement in May of 2017 for $18.5 million, split among 47 states.[2]  The results of these types of settlement agreements and other regulatory actions and lawmaking relating to cybersecurity, highlight the fact that businesses can face liability if they don’t take certain precautions when utilizing electronic information resources for data collection, processing, dissemination and other similar functions. These precautions includes the following:

  • Maintain a Written Information Security Program/Policy.  A business should develop an information security program and a written policy tailored to the business’s attributes to help protect the personal, non-public information of its customers.  The policies and procedures should monitor user activity and detect unauthorized access.
  • Chief Information Security Officer.  An experienced Chief Information Security Officer should oversee the program and enforce the policy.  He or she should report annually to a senior officer of the business and the business’s board of directors to review the security policy and discuss compliance, risks, effectiveness of safeguards, etc.
  • Risk Assessment.  In maintaining the policy, a business should conduct regular risk assessments of its information security program and policy to determine risks and threats to the business.  The risk assessment shall allow for revision of internal controls as needed to address internal and external changes and risks to the business.
  • Periodic Vulnerability Assessments and Penetration Testing.  Based on the risk assessment, the business should conduct continual monitoring and testing of the information security program to assess the program’s effectiveness and weaknesses.  The business should also maintain an incident response plan for documenting and reporting cyber events.     
  • User Access Control/Privileges Management.  A business should generally limit access privileges to the information systems that permit access to nonpublic personal information.  This includes utilizing multi-factor authentication or risk-based authentication to protect against unauthorized access.
  • Third Party Service Provider.  Businesses should separately develop written policies and procedures to ensure the security of nonpublic information accessible to third party services providers.
  • Encryption of alternative control of personal information.  The business should implement certain controls, such as encryption, for any personal, non-public information that is held by the business or transmitted externally.
  • Data Retention.  The business should maintain procedures, where feasible, for disposing nonpublic information that is no longer necessary for business operations or other legitimate purposes.

This article has been prepared for general information purposes only and is not intended as legal advice, nor does it create an attorney-client relationship. These materials may be considered Attorney Advertising in some states. If you should have questions regarding how cybersecurity regulations may impact your firm, please contact Greg Gribben at 585-987-2875, Chris Rodi at 585-987-2820 or Steven Suozzi at 585-445-2753, or another member of the Firm’s Business Counseling practice group.

[1] 23 NYCRR 500.


[2] Attorney General of the State of New York Bureau of Internet and Technology, In the Matter of Investigation by Eric T. Scheneiderman, Attorney General of the State of New York, of Target Corporation, Assurance No. 17-094, available at https://ag.ny.gov/sites/default/files/nyag_target_settlement.pdf.

Steven A. Suozzi