By Philip E. Daniels, Esq. and Luna Veronese, Ginsburg Daniels Kallis LLP
Hacking has become a prominent way of catching peoples’ attention in the past several years. So much so that it has even become a peculiar form of advertising for hacking groups. For them, it is a very effective way to gain popularity while demonstrating cyber vulnerability. In cases when a business is the victim, the trouble of reestablishing account security may pale in comparison to the potential liability faced when customers or subscriber data is breached.
This last April Fools` day, the group OurMine cyberattacked over 300 big channels within the Omnia Media network on YouTube. The group has notably hacked other high profile companies and individuals in the past, including: Mark Zuckerberg and Sundar Pichai’s private email accounts, the entertainment magazine Variety, BuzzFeed and other celebrity social media accounts such as DeadMau5, Channing Tatum, and David Guetta. The attack was used as a way to advertise their own security services, as boasted in the message they posted on the victims’ accounts: “Hey, it’s OurMine, don’t worry we are just testing your security, please contact us for more information.”
The April Fools’ day prank served as a highly visible reminder of how important corporate and personal data security are and a great time to revisit corporate cyber security regulations and the best practices to prevent breaches and mitigate damage.
There are preemptive measures that a company can employ to protect themselves and their customers when faced with a breach, including controlling access to sensitive data, not collecting unnecessary personal information from customers, requiring secure passwords for authentication, using industry-tested and acceptable methods of storing sensitive information, monitoring activity in their network, writing security standards, and more importantly, complying with them. However, there is not a uniform law that describes such measures. It is up to the business to adopt reasonable measures and consider all the variables.
At the Federal level, the Federal Trade Commission (“FTC”) provides guidelines regarding how to prevent data breaches and the measures to take to protect the personal information of customers. The FTC is also in charge of enforcing and penalizing companies that do not take reasonable measures to protect such personal information — and make no mistake, corporate penalties are common. Recently, in February 2017, the FTC filled a complaint against Vizio, alleging that the company collected consumers’ data without their informed consent which resulted in Vizio paying $2.2 million. On December 2016, Ashleymadison.com, a niche dating website, paid $1.6 million to settle with the FTC over charges that the company failed to protect user’s personal information. In 2016, the FTC also pursued companies such as Asus, LabMD, Oracle, and LifeLock for not taking reasonable steps toward protecting or mitigating the damages caused by a data breach.
Unfortunately, there is no surefire solution to avoid cyber-attacks and in spite of companies’ best efforts, talented, persistent, and ever-evolving hackers will find a way in. When data security is breached, it is likely to result in liability and subsequent damages.
As the FTC itself states, their guidelines are based on reasonableness. So long as the company demonstrates that it had acted with reasonable care towards their consumers’ personal data — and taking into consideration the sensitivity and volume of information, the size and complexity of the data operation, and the cost to improve security and reduce vulnerabilities — they shall have a safe harbor even if there is a breach. Reasonable measures such as having a team of technical experts that will rapidly respond to the breach, engaging legal counsel regarding privacy and data security, securing physical areas that could relate to the breach, and stopping additional data loss by taking the affected equipment offline, not destroying evidence, and creating a comprehensive communication plan that reaches all affected audiences are all best practices suggested by the FTC.
One nearly universal requirement to avoid liability, is notifying the affected parties. Both Federal and most state laws require this. A business that suffers a security breach and exposes personal information of their users must not only notify the affected individuals and law enforcement agencies, but also all other affected or potentially affected business affiliates, such as banks, credit card companies, and anything else.
In 2016, California amended its Data Breach Notification Law, establishing how a business, if conducted in California or if it affects California residents, shall proceed in case of a data breach. Per Section 1798.82 of California Civil Code, a person or a business shall promptly notify all affected individuals any time unencrypted information was obtained or accessed by an unauthorized person or if encrypted information was accessed and there is a reason to believe that their security credentials could render the information readable or usable. Furthermore, disclosure must be made whenever the business holds sensitive information such as an individual’s first and last name coupled with either (i) his or her social security number, (ii) driver’s license number, (iii) bank account or credit card information in combination with security or access code, (iv) medical or health insurance information, or (v) information regarding license plate recognition system.
Time is of the essence, and notification must be made expeditiously and written in plain language so the individuals can easily understand what happened, what to do, and what the company is doing to remedy it. The requirements are very straightforward and helpful since the law itself prescribes a form containing the exact information that should be disclosed and how the headings should be written. As an example, it is important to inform all affected parties what happened and the date of the breach. Information must be as complete as possible, as long it does not compromise an impending criminal investigation. In such cases, business owner must first contact law enforcement agents to know the extent of information that can be released. It is also mandatory for the notice to explain what is being done to remediate the breach and what the user can do to protect them self.
Such notice of disclosure can be either written or electronic and it must also contain the contact information of the person or department responsible for the breach resolution and the toll-free telephone numbers of the major credit reporting agencies if the breach exposed a social security number.
Given that data breaches will continue to occur in spite of best efforts to protect consumers, adopting these simple and direct measures in advance and after a breach has occurred will mitigate liability and damages.
Taking these reasonable steps is an effective way not only to alleviate criminal and civil liability but also to show your customers that your business cares.
Our firm was recently involved in helping clients with these types of security breaches and ensuring compliance with the specific laws in this area. We can advise accordingly.
Note that this article should not be deemed as legal advice in any whatsoever. No attorney-client relationship is created, and anyone facing this issue should see appropriate legal advice from a specialist attorney in this area.
Phil Daniels is cofounder and partner of Ginsburg Daniels Kallis, LLP — a leading transactional entertainment law firm located in Beverly Hills — and has over 15 years of experience of working in the media and entertainment industry. Phil has established and runs the firm’s social media, digital and TV production practice, which has a dedicated practice focus on helping enterprises who are developing, producing and distributing content across all media platforms.