Page 39 - The IT Guidebook
P. 39

CYBERSECURITY - LEGAL EXPERT ANALYSIS - CONTINUED  CYBERSECURITY - LEGAL EXPERT ANALYSIS - CONTINUED




 Private information includes:   Despite all of these legal requirements and   Bear in mind that if you collect information   As  most businesses  collect  and maintain
 safeguards,  what  constitutes  “reasonable   from  individuals  located  in  other  states,   sensitive  personal  information  about  their
 1.  Social Security numbers;   security” remains ambiguous to this day.   you will also have to evaluate the laws of   customers,  the  key  takeaway  is  to  first
 2.  driver’s  license  numbers  or  non-driver   As  previously  noted,  most  laws  currently   those states, which may be stricter than the   assess the type of business that you operate
 identification card numbers;   provide  that  the  safeguards  implemented   laws  of  the  state  in  which  your  company   and  the  types  of  personal  information
 3.  account  numbers,  credit  or  debit  card   by a business should be reasonable  and   has  its  principal  place  of  business.  For   that you collect. From that starting point,
 appropriate, given the size of the business
        example,  unlike  the  SHIELD  Act,  the
                                          develop, implement and maintain a sound
 numbers, if those numbers would permit   and the information they collect. Agencies   California  Consumer  Privacy  Act  of   security plan to collect only the information
 access  to  an  individual’s  financial   such  as  the  Federal  Trade  Commission   2018  (CCPA) provides a private right   that you need, to keep that information safe,
 account;  (FTC) have recognized that there is no such   of  action  to  California  residents  whose   and to dispose of it securely. This will form
 4.  biometric information; or   thing as perfect security, but that security   personal  information  was  subject  to  “an   the foundation to help your business meet
 is a continuing process that requires the   unauthorized access and exfiltration, theft,   its legal obligations to protect that sensitive
 5.  a user name or email address in   business to detect  risks and adjust their   or  disclosure  as  a  result  of  the  business’   data.
 combination with information that would   safeguards accordingly.  violation  of  the  duty  to  implement  and
 permit access to an online account.
        maintain  reasonable  security  procedures
 While these sources do not provide a ceiling   and practices.” This private right allows a   Reprinted with permission from the May 6, 2020
 The  SHIELD  Act  enumerates  several   for  the  safeguards  that  a  business  should   successful plaintiff to recover damages in   edition of the New York Law Journal © 2022 ALM
 administrative,  technical  and physical   have in place, they appear to have at least   the amount of “not less than one hundred   Media Properties, LLC. All rights reserved. Further
 safeguards  that  larger  businesses  must   begun  the  creation  of  a  floor.  For  years,   dollars ($100) and not greater than seven   duplication  without  permission  is  prohibited,
 develop,  implement  and  maintain.  These   contact 877-257-3382 or reprints@alm.com.
 safeguards include, but are not limited, to:   the FTC has been the primary enforcer of   hundred and fifty ($750) per consumer per
 identifying reasonably foreseeable internal   cybersecurity  regulations.  The  FTC  has   incident  or  actual  damages,  whichever  is
        greater.” To put this in context by way of
 brought numerous actions for deceptive or
 and  external  risks;  assessing  risks  in   unfair business practices under the FTC Act   example,  if  a  compromised  database  has
 network and software design, information   for businesses that claimed—but failed—to   information  on  a  mere  10,000  people,  a
 processing, transmission,  storage  and
 disposal;  and  detecting,  preventing  and   have reasonable security in place.  business  could  be  subject  to  damages  of
 responding to attacks, system failures and   Consequently, as best practices, businesses   $1,000,000 to $7,500,000. In contrast, New
        York’s SHIELD Act imposes civil penalties
 intrusions.  For  small  businesses,  the  Act   seeking to come into compliance  are   of  not  more  than  $5,000  for  failing  to
 simply provides that  “the  small  business’   well-advised to draw knowledge from the   implement reasonable security and, under
 security   program   [should   contain]
 reasonable  administrative,  technical,  and   publications of their regulators and to also   New  York’s  Breach  Notification  law,
 physical  safeguards  that  are  appropriate   consult  the  FTC’s  published  guidance  on   potential penalties are the greater of $5,000
        or  up  to  $20  per  instance  for  failing  to
 what their type of business is required to
 for  the  size  and  complexity  of  the  small   implement. Many of these FTC guidelines   notify affected consumers of a data breach,
 business’  activities,  and  the  sensitivity  of   go  into  greater  detail  of  the  types  of   not to exceed $250,000.
 the personal information the small business
 collects from or about consumers.” A small   safeguards  businesses  should  implement,
 business  is  any  person  or  business  with   including:  FTC’s  guidelines  for  small
 businesses  and  the  FTC’s  explanatory
 fewer  than  50  employees,  less  than  $3   material on the Cybersecurity Framework
 million in gross annual revenue in each of   published by the  National  Institute  of
 the last three fiscal years, or less than five
 million dollars in year-end total assets.  Standards  and  Technology  (NIST)
 (a  voluntary  framework  that  includes
 standards, guidelines and best practices to
 manage cybersecurity risk).








 37                                                                        38
   34   35   36   37   38   39   40   41   42   43   44