We live in the age of information. Exponential gains in our ability to gather, store, and communicate information electronically define this millennium thus far. But as is usually the case, regulation of the risks associated with rapidly advancing technology has lagged behind. Most businesses, and people in general, have recently come to recognize “cybersecurity” is an important issue deserving attention. Far less could define “cybersecurity” if asked, much less explain the immediate steps that should be taken following a breach.
Unfortunately, the federal and various states governments’ level of understanding mirrors most peoples’. That is to say, the law acknowledges the issue but does not adequately explain how to deal with a breach. While some regulation exists, the complicated patchwork of state and federal data breach laws make compliance difficult. Explaining the interrelation of the various state and federal statutes would require much more time than anyone reading this is likely to want to spend. Rather, this article provides some cybersecurity basics from both a legal and practical perspective.
Webster’s defines cybersecurity as, “measures taken to protect a computer or computer system against unauthorized access or attack.” Note the simplicity of this definition. Most people envision a cybersecurity threat as the hacker sitting in front of six monitors in his mom’s basement, typing furiously to penetrate deeply behind the Federal Reserve’s firewall. While those threats exist, the much more common cybersecurity threats are the unlocked car your employee left their laptop in while they work out, your HR Director emailing themselves their password so as not to forget it, your Sales Manager responding to the “urgent” email from the phisher with the same name as the CEO.
Preventing these obvious threats should be a top priority. Involve your CIO with top-level decision making. Develop an efficient system to communicate technology polices to employees. Instruct IT to set up requirements that passwords are regularly updated and cannot be easily cracked. Most crimes are crimes of opportunity, and cyber-criminals are no different. Do not be the victim because you are the most vulnerable target.
Even with these measures in place, a data breach remains more of a “when” than in “if”. If your company does not have an Emergency Action Plan to deal with a breach, you are behind. You should consider immediately forming a committee with representatives from legal, IT, and the C-Suite to develop a plan in the event of a data breach.
From a legal perspective, while Minnesota’s statutory regulation of these breaches is limited, especially for non-government entities, there are laws currently in place that must be complied with. While the law is vague and could be approved upon, there are some basics companies should follow in the event of a breach.
First, determine whether reporting the breach is required. Minnesota Statute § 325E.61 only mandates disclosure to certain persons in the event of a data breach. Per the statute, any person or business conducting business in Minnesota who owns or licenses personal information must inform any Minnesota resident of a breach if their personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This means a company is not required to disclose a breach to a particular individual unless there is some reason to think that particular person’s information was actually stolen. The fact a person had their information on the breached system, and are therefore more susceptible to identify theft, does not constitute the type of harm which would allow them to maintain a lawsuit See In re Supervalu, Inc., 870 F.3d 763 (8th Cir. 2017).
Second, be familiar with how to report. The statute provides several alternate mechanisms for reporting a breach, from providing written or electronic notice including email, to alerting major statewide media. Consult an attorney to determine which reporting mechanism makes most sense for your business.
Also bear in mind several federal bills are currently in process that may upend the current state system. The Consumer Information Notification Requirement Act (H.R. 6743) is currently on the House of Representatives’ Union Calendar. If passed, the Act would preempt state laws and provide uniform data breach notification standards for financial institutions. Acts applying to broader sectors, such as the Data Acquisition and Technology Accountability and Security Act have also been proposed and would upend state regulatory efforts. 32 State Attorneys General have formally opposed the federal legislation, believing the state law preemption would pose more problems than solutions.
In sum, do not attempt to understand the tangled web that is the present state of cybersecurity regulation, but do have a plan to prevent attacks and respond to breaches. Front end preparation can save massive back-end scrambling.
This information is general in nature and should not be construed as tax or legal advice.