1. Changing United States Privacy and Security Laws
Soon US businesses will have to navigate a patchwork of state-specific laws that require different levels of personal data privacy and protection. California’s law, the California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. The CCPA will apply to businesses that have annual gross revenues in excess of $25 million, possess the personal information of at least 50,000 consumers, or earn more than half of their annual revenue from selling consumers’ personal information. In addition to protections similar to GDPR, for instance, the CCPA will prevent discrimination against California residents who wish to exercise their privacy rights.
States like Nevada and Maine have already enacted their own versions of privacy and security laws to protect their residents.
The challenge for lawyers and the companies they represent is that all 50 states and Puerto Rico have different versions of data privacy laws in place or in draft form. Some of lawyers at the conference questioned whether a federal rule is coming, and opinions were mixed. Some noted that the current political climate in the United States may stall any broad legislation while others noted that industry may well drive the formation of a national law.
2. Cyber Insurance is Still Maturing
Not all cyber insurance policies are created equal. In fact, the cyber insurance industry is still evolving and learning. Policies are not standardized because they are new. This means that pricing for coverage can be all over the place and drastically change from carrier to carrier or vary by coverage type.
When obtaining cyber coverage the business must understand the type of cyber risk it is likely to encounter. Engaging security professionals to conduct audits and consult with the business regarding risk will help to align the correct coverage with the risk.
Cyber insurance purchasers should be careful to understand policy limits and whether sub-limits apply to their coverage. One can imagine the terror of getting breached and submit a claim only to learn that the sub-limit for a particular attack type is not high enough to cover the loss.
3. Law Firms are Targets for Attack
Several speakers noted that law firms are rich targets for attackers. No matter the size or sophistication of the firm they all hold personal information and sensitive corporate data. And for litigators, they are constantly exposing sensitive information by the nature of required legal filings in law suits. Not all courts at every level have appropriate protections in place to avoid exposing personal or corporate information.
Law firm attorneys and in house counsel are ethically responsible to protect client information and keep it confidential. The American Bar Association issued Formal Opinion 483 that outlines a lawyer’s duty to inform clients when there is a data breach. The attorneys at the conference discussed the dangers of waiting to inform clients as well as various tools to prevent data breaches.
General counsel and corporate attorneys sit at the nexus of business purposes and risk mitigation. It was a privilege to represent Baffin Bay Networks at the conference and to learn how we are able to assist attorneys in protecting their clients interests as well as their own.