iThe business world has raised serious concerns recently about potential liability stemming from sharing otherwise-private information with the government and other organizations in light of widespread data-breach apprehension. In March, following the issuance of a presidential executive order, leaders at more than 30 major companies pressed Congress for federal legislation that would shield private industry from liability related to a host of potential problems that arise with cybersecurity and information sharing. Understandably, some of the most serious concerns have been raised by the financial and healthcare industries.
Congress responded with the introduction of a bill known as the National Cybersecurity Protection Advancement Act, which was proposed by two Republican representatives from Texas (including the chair of the Homeland Security Committee) on April 13. It proposes a two-tiered approach to “scrubbing” personal information from data shared with the government and other organizations – a preliminary private scrub of personal information to be conducted by the organization sharing the data, and a secondary scrub to be conducted by the National Cybersecurity Communications Integration Center.
These developments followed a slew of recent security breaches at organizations like Anthem, Inc. (from which hackers obtained information on over 80 million customers and employees in February), Sony Pictures, Target, and the United States Postal Service.
Shortly after the Anthem breach, President Obama signed an executive order that seeks to aid private- and public-sector organizations set up “Information Sharing and Analysis Organizations,” or “ISAOs,” that will aid in the analysis and sharing of information on cybersecurity threats between private and public organizations. The Executive Order directs the Department of Homeland Security to fund the creation of a non-profit organization that would provide voluntary standards for companies and other entities to follow in setting up and administering their own ISAOs.
Presently, the Executive Order is the primary regulation in the area, and it is unknown whether the cybersecurity act will be passed and, if it is, when it would go into effect. In the meantime, litigation surrounding past and future data breaches is imminent. Target recently settled a class action related to data breaches against it for a tidy $10 million. However, the risk of liability doesn’t end with an actual data breach. Many commentators have raised other concerns, specifically related to the ISAO process, that are likely to wind up on state and federal courthouse steps for years to come.
First, there is a minefield of potential liability for failing to “scrub” private information from data shared with the government and other entities during the information-sharing process. That, as a matter of course, is in addition to potential liability for actual data breaches related to “hacking.” However, the litigation fodder doesn’t stop there. If your organization develops an ISAO, and you receive warning of a potential security breach, what is the possible liability for failing to act on that warning, either at all or in a timely fashion? How massive will the cost be for acting on a data-breach warning, and how reliable are those warnings likely to be? Furthermore, what is the potential for liability to consumers, state and federal government, and other private companies if your organization “misses” a warning sign that results in a data breach or unintended release of personal information?
These are the questions that will plague lawmakers during the debates related to the current cybersecurity bill and others like it in the future. However, with or without the adoption of federal legislation governing the issue – and with or without standards produced pursuant to the Executive Order on ISAOs – these concerns are already at the forefront of business leaders’ minds, and it is likely to be a hotbed of litigation and regulation for years to come.
