Data Breaches and Data Protection for San Diego Businesses
Every successful business should have a website and a web presence. Along with the positives of e-commerce, there come many responsibilities. We wrote recently about how businesses must keep their websites in compliance with the American Disabilities Act and two California statutes – the Unruh Civil Rights Act and the California Disabled Persons Act. See here
San Diego Business Law: Data Breaches
In addition to responsibilities with respect to accessibility, San Diego businesses have duties to their customers to keep personal and financial data private and secure from hackers. If your cybersecurity is lax and not up to current standards and that leads to a data breach, your business may be investigated by the Federal Trade Commission for possible violation of the Federal Trade Commission Act (“FTC Act”). Deficient, substandard, and outdated security protocols, software and hardware that fails to protect the privacy of your customers is now considered a “deceptive” business practice in violation of the FTC Act. Equifax is a good example. Just a couple of months ago, in September 2017, Equifax reported that it had been hacked and that personal and financial data concerning more than 145 million customers had been compromised. See report here. The data stolen included:
- Date of birth information
- Driver’s license numbers
- Credit card numbers
Equifax is now under investigation by the FTC. See report here.
Factors Considered by the FTC: Liability For Data Breaches
If your San Diego business is the target of a cyberattack and customer data is stolen or compromised, the FTC will look to certain facts to determine whether you will be held liable. See e.g., FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3rd Cir. 2015). Among the facts that the FTC will consider are:
- Data readability — plain readable clear text or encrypted
- Ease of breaking passcodes
- Use of default and/or factory-set passcodes and user-identifications
- Ease of remote access
- Use and sufficiency of firewalls and other compartmentalization protocols
- Third party vendor issues such as privacy clauses in vendor contracts, excessive access, change of passwords and codes following completion of third-party access, etc.
- Staff training
- Vendor training
- Status of equipment and programming — current and state-of-the-art or out-of-date operating systems
- Security update status on software
- Proper and adequate inventory of computers and equipment allowing quick and easy identification of where private information is stored and where cyberattack occurred
- Proper and prompt security investigations if “red flags” are raised
- Use industry standard incident response procedures
- Proper monitoring of network for malware and other snooping software
- Hiring and designation of a Privacy Protection Officer
Lessons for San Diego Businesses
If you use computers to process payments and sales, you must now under federal law provide for safe and secure storage and processing of the financial and personal information of your customers. Failure to do so will likely result in civil lawsuits and federal (and often state) investigations. It is crucial to retain experienced business and corporate counsel.
Businesses are also advised to check with their insurance broker to make sure that liability coverage includes data breaches and damages flowing from cyberattacks, both successful and attempted.
Contact San Diego Corporate Law
Every San Diego business needs a skilled and experienced business attorney who knows California law and evolving trends such as the need for cybersecurity. Your business needs an attorney like Michael Leonard of San Diego Corporate Law. To schedule a consultation, email or call (858) 483-9200.