Negative effects of data privacy and data breach issues on companies can include:
- Direct harm in the form of theft
- Indirect losses, such as loss of operations time and resources devoted to security repair
- Damage to the company’s reputation (loss of client trust)
- Overall loss of confidence in digital security
As cyber security technology continues to evolve, laws surrounding this area must also adapt to changing circumstances and situations. Courts will need to decide on crucial issues which might not have much legal precedence. For instance, the recent Spokeo ruling involved complex issues regarding standing and injury-in-fact requirements.
Mandatory Disclosures and Data Privacy Issues
A central debate with regards to cyber security is the question of disclosure of sensitive company information. Data privacy is a component of many laws such as the Foreign Corrupt Practices Act (FCPA). In relation to the FCPA, the DOJ released an Enforcement Guidance that extends cooperation credit to companies that meet standards for:
- Voluntary self-disclosure of criminality;
- Full cooperation; and
Companies seeking to take advantage of the DOJ credits will need to demonstrate “full cooperation”; this may entail producing the necessary overseas documents in the event of an investigation. These companies will need to strike a balance with DOJ requirements and any foreign data privacy laws restricting the transfer of personal data. It is likely that a company relying on a foreign data privacy provision to withhold documents will have to bear the burden to convince the DOJ of such prohibitions.
Should Disclosure of Data Breaches be Mandatory?
Another particularly poignant issue regarding cybercrime and data privacy is the issue of whether disclosure of data breaches and cyber attacks should be mandatory. Current reporting laws are viewed as vague and do not offer very specific guidance regarding disclosure of cyber breaches. Arguments in favor of mandatory reporting of cyber attacks include:
- Underreporting or failure to report results in an incomplete understanding of the mechanisms of cyber breaches. This in turn leads to incomplete defenses against cyber attacks
- Reporting would create greater transparency and encourage dialogue amongst businesses, consumers, and policy makers regarding cybersecurity management
- A reworking of cyber attack disclosure laws would serve to clarify existing requirements that many feel are vague (such as the Cybersecurity Law of 2015 and the SEC’s 2011 Disclosure Guidance for cybersecurity)
Arguments against mandatory reporting of cyber attacks include:
- The overall amount of work involved in mandatory reporting of data breaches and cyber attacks could divert resources from security implementation into compliance
- Many see cybercrime reporting as a threat to individual citizen’s data privacy
- Reporting could create even more opportunities for cyber attacks as information gets shared across channels and between departments
- There are other ways to improve cyber security without enforcing mandatory reporting, such as clarifying existing laws
In any event, most analysts do agree that major cyber attacks that affect public safety or national security should be disclosed to the appropriate government authorities (as well as important stakeholders). Most would also agree that the ever-changing nature of cyber threats makes it difficult to prescribe very specific requirements.
Recent Cybercrime Cases
Cyber thieves attempted to steal nearly $1 billion from Bangladesh’s central bank account with the U.S. Federal Reserve Bank. FBI evidence suggests possible assistance from inside employees who may have assisted cyber hackers in navigating the Bangladesh Bank computer system. $81 million is believed to have made its way into the Philippines into casinos and junket systems.
In a similar attack, Tien Phong, a Vietnamese bank, experienced a cyber attack involving attempted fund theft through the use of Swift interbank messaging services. These two instances highlight general concerns that the software and systems used in these attacks may expose vulnerabilities in other banks as well.
As the technology and techniques associated with cybercrime continue to evolve, companies and lawmakers continually face new challenges. If you have any concerns inquiries, or would like to file a claim, contact us today at Kessler Topaz. Our team of attorneys is fully committed to protecting investors, consumers, and others from fraud and violations. We also provide highly secure, private portfolio monitoring services for clients.