Cybersecurity is an important concern not only for the safety of data, but also for the protection of people. In many ways, with the internet of things and the proliferation of breaches and exploitation, cyber threats are at the forefront of what we, as individuals and organizations, face. The technology we now have at our fingertips allows us to more quickly integrate and innovate, network and share ideas more easily, and save money. Our digital capacity enables us to do amazing things, but it also makes us vulnerable. According to Martin Banks’ “Five Laws of Cybersecurity,” everything is vulnerable. Put another way, if there is a vulnerability it will be exploited, and that is a problem when your job is to protect people or your organization.
We store a lot of data in our systems. We collect personal information, track usage, and hold terabytes of sensitive information. Even the “zero trust policy” itself, the mechanism by which entities require pre-approval before allowing entry to a space, both physically (like a key card to gain access to a building) and electronically (like a password to enter a computer system), creates risk to data. That sounds far-fetched, I know, but think of what is required to implement zero trust. To approve a person for access to spaces and systems, data about them must be collected, organized, reviewed, and stored. This mechanism requires information such as social security numbers, fingerprints, birthdates, and other personally identifiable information as a baseline for entry. Once individuals gain access, their movements and habits are collected and tracked. As sensitive information and data points are collected and stored, more data is being created that companies must protect—all in the name of protecting its data in the first place! Thus, companies are tasked to find security measures to secure their security measures.
According to the Cybersecurity and Infrastructure Agency, or CISA, citing other sources, one in three homes with computers are infected with malicious software; 65% of Americans who went online received at least one online scam offer; 47% of American adults have had their personal information exposed by cyber criminals; 600,000 Facebook accounts are hacked every day, and one in five people report financial loss due to imposter scams.1
Let’s say you are diligent with your personal security measures. You have two-factor authentication on all your accounts, you change your passwords regularly and aren’t storing them in a place that can be hacked or lost in public, and you don’t open emails/texts or click on links that aren’t familiar. Great! You are ahead of the game with your personal data. But what about organizational risks?
Fortinet, a company that develops and sells cybersecurity solutions, reported the following with respect to organizational cybersecurity during the 2020-2021 time frame: (1) ransomware attacks were the most common form of cyberattack in 2021 (remember the Colonial Pipeline shutdown?), and only 4% of businesses that pay the ransom when held hostage by ransomware actually retrieve all their stolen data; (2) cyberattacks, particularly those exploiting vulnerabilities, increased by 33%; (3) the average data breach cost rose almost 10%, reaching $4.24 million; (4) identity fraud losses reached $56 billion in 2020, and in 2021, companies experienced 31% more cyberattacks with, on average, 270 attacks each.2 These are huge numbers and of significant concern with directly associated financial costs.
In March 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, which authorizes CISA to develop and implement regulations requiring covered entities to report certain cyber incidents and ransom payments to CISA (CISA.gov/circia). Per the act’s instructions, CISA is to promulgate rules that seek to place a new, and potentially heavy, burden on organizations that must be adhered to at risk of civil penalty. While CIRCIA hasn’t yet taken effect, CISA held 10 listening sessions around the United States in fall 2022, per CIRCIA’s instructions, and the agency intends to complete the comment period required prior to the issuance of the final rule in 2023. This new act, which isn’t the only such act being considered globally, is going into effect in 2024, and organizations who aren’t prepared to comply with the new rules and timelines will be caught off guard.
Lost data, lost revenue, compromised systems, and administrative penalties for regulatory non-compliance are not the only areas of concern for companies. Cybersecurity civil liability is a rapidly emerging area of tort law, and courts across the United States have recently upheld claims for negligence, fraud, breach of contract, unjust enrichment, and violation of the First Amendment. Regarding data breaches, Transunion LLC v. Ramirez recently required plaintiffs to have suffered a “concrete injury” to have standing—many jurisdictions (both state and federal) are siding with plaintiffs when there is at least “substantial proof of concrete injury” from the loss of private data. Additionally, since cyber liability insurance is now widely available, we can expect to see greater litigation arising from cyber insurance coverage disputes as well.
This is not intended to be a complete treatise on the legal topics mentioned; rather, it is intended as a word of caution. If you are an organization and you’re not already preparing for an increased focus on cybersecurity and related legal concerns, you’re late to the game. This area of law is rapidly growing and evolving. The risks are high, and the threat to finances, clients’ privacy, and trade secrets are grave. 2
1 The Facts. Get clued in to the cyber world reality. Cybersecurity & Infrastructure Security Agency, https://www.CISA.gov/be-cyber-smart/facts. January 3, 2023.
2 Cybersecurity Statistics. Fortinet, https://www.fortinet.com/resources/cyberglossary/cybersecurity-statistics. January 3, 2023.