Page 38 - The IT Guidebook
P. 38
CYBERSECURITY - LEGAL EXPERT ANALYSIS - CONTINUED CYBERSECURITY - LEGAL EXPERT ANALYSIS - CONTINUED
Private information includes: Despite all of these legal requirements and Bear in mind that if you collect information As most businesses collect and maintain
safeguards, what constitutes “reasonable from individuals located in other states, sensitive personal information about their
1. Social Security numbers; security” remains ambiguous to this day. you will also have to evaluate the laws of customers, the key takeaway is to first
2. driver’s license numbers or non-driver As previously noted, most laws currently those states, which may be stricter than the assess the type of business that you operate
identification card numbers; provide that the safeguards implemented laws of the state in which your company and the types of personal information
3. account numbers, credit or debit card by a business should be reasonable and has its principal place of business. For that you collect. From that starting point,
appropriate, given the size of the business
example, unlike the SHIELD Act, the
develop, implement and maintain a sound
numbers, if those numbers would permit and the information they collect. Agencies California Consumer Privacy Act of security plan to collect only the information
access to an individual’s financial such as the Federal Trade Commission 2018 (CCPA) provides a private right that you need, to keep that information safe,
account; (FTC) have recognized that there is no such of action to California residents whose and to dispose of it securely. This will form
4. biometric information; or thing as perfect security, but that security personal information was subject to “an the foundation to help your business meet
is a continuing process that requires the unauthorized access and exfiltration, theft, its legal obligations to protect that sensitive
5. a user name or email address in business to detect risks and adjust their or disclosure as a result of the business’ data.
combination with information that would safeguards accordingly. violation of the duty to implement and
permit access to an online account.
maintain reasonable security procedures
While these sources do not provide a ceiling and practices.” This private right allows a Reprinted with permission from the May 6, 2020
The SHIELD Act enumerates several for the safeguards that a business should successful plaintiff to recover damages in edition of the New York Law Journal © 2022 ALM
administrative, technical and physical have in place, they appear to have at least the amount of “not less than one hundred Media Properties, LLC. All rights reserved. Further
safeguards that larger businesses must begun the creation of a floor. For years, dollars ($100) and not greater than seven duplication without permission is prohibited,
develop, implement and maintain. These contact 877-257-3382 or reprints@alm.com.
safeguards include, but are not limited, to: the FTC has been the primary enforcer of hundred and fifty ($750) per consumer per
identifying reasonably foreseeable internal cybersecurity regulations. The FTC has incident or actual damages, whichever is
greater.” To put this in context by way of
brought numerous actions for deceptive or
and external risks; assessing risks in unfair business practices under the FTC Act example, if a compromised database has
network and software design, information for businesses that claimed—but failed—to information on a mere 10,000 people, a
processing, transmission, storage and
disposal; and detecting, preventing and have reasonable security in place. business could be subject to damages of
responding to attacks, system failures and Consequently, as best practices, businesses $1,000,000 to $7,500,000. In contrast, New
York’s SHIELD Act imposes civil penalties
intrusions. For small businesses, the Act seeking to come into compliance are of not more than $5,000 for failing to
simply provides that “the small business’ well-advised to draw knowledge from the implement reasonable security and, under
security program [should contain]
reasonable administrative, technical, and publications of their regulators and to also New York’s Breach Notification law,
physical safeguards that are appropriate consult the FTC’s published guidance on potential penalties are the greater of $5,000
or up to $20 per instance for failing to
what their type of business is required to
for the size and complexity of the small implement. Many of these FTC guidelines notify affected consumers of a data breach,
business’ activities, and the sensitivity of go into greater detail of the types of not to exceed $250,000.
the personal information the small business
collects from or about consumers.” A small safeguards businesses should implement,
business is any person or business with including: FTC’s guidelines for small
businesses and the FTC’s explanatory
fewer than 50 employees, less than $3 material on the Cybersecurity Framework
million in gross annual revenue in each of published by the National Institute of
the last three fiscal years, or less than five
million dollars in year-end total assets. Standards and Technology (NIST)
(a voluntary framework that includes
standards, guidelines and best practices to
manage cybersecurity risk).
37 38
