What Colorado companies need to know about cybersecurity
The future is now
Cybersecurity is no longer just a buzz word for IT personnel. It is a necessary talking point in boardrooms and business meetings. Last year alone, more than 1,000 businesses were subjected to cyber-attacks. About two-thirds of them learned about attacks on their networks from third parties. Just as embarrassing, most of them had been infiltrated for more than six months. They just didn’t know it.
As millions of consumers were subjected to “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees,” as is alleged in the pending class action against Target, hundreds of lawsuits and investigations were initiated by consumers, banks, regulators and shareholders. Little wonder a recent national survey of nearly 500 business directors found that cybersecurity is the No. 1 issue on their minds.
Colorado’s Data Breach Statute
Most of the lawsuits and investigations involving cyber-attacks include common law claims for breach of contract or negligence, including claims against businesses for failure to provide adequate security to protect personal information and/or the failure to timely notify consumers that their personal information was breached or compromised. In Colorado, the attorney general can hold businesses liable for failing to notify individuals in the event of a data security breach, and common law claims may be asserted for unfair trade practices, negligence, and variety of other actions stemming from the unauthorized access to personal information.
Under Colorado’s Consumer Protection laws, and its security breach notification requirements set forth in Colo. Rev. Stat. § 6-1-716, with few exceptions, businesses in Colorado must implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information they collect or maintain. Personal information includes a Colorado resident’s first name or first initial and last name combined with the resident’s (i) social security number; (ii) financial account, or credit card or debit card number together with any security code, access code or password that would permit access to the resident’s financial account; or (iii) driver’s license or state identification number.
When businesses that own or license computerized data that includes personal information become aware of a breach, they must determine the likelihood that personal information has been or will be misused, and if there is a likelihood, notify each person as soon as possible unless law enforcement asks them not to for investigative purposes. The only other reasons businesses may delay notification are to determine the scope of the breach and after restoring the reasonable integrity of their security systems.
Failure to comply with Colorado’s notification law can subject businesses to civil fines. While not an independent basis for liability for consumers to assert in private lawsuits, Colorado’s breach notification requirements at least establish a baseline of notification procedures businesses should follow when personal information has been breached or compromised.
Federal Response to Data Breach Landscape
After numerous executive orders, proposed guidelines and directives to establish a cybersecurity framework, the federal government is considering cybersecurity legislation that may preempt the existing patchwork of state laws. On March 25, bipartisan legislation being referred to as the Data Security and Breach Notification Act of 2015 (DSBN) was submitted to Congress. As presently drafted, if enacted the DSBN would apply to most businesses, would preempt all state data breach notification laws, would only require businesses to notify consumers if breaches are likely to lead to economic harm, and would expand the definition of personal information. As a single standard, the DSBN would have obvious benefits for businesses over the existing patchwork and evolving legislation and standards. Importantly, the DSBN would be enforced by the Federal Trade Commission, which would have authority to issue uncapped civil penalties.
For Cybersecurity, the Future is Now
The cybersecurity landscape is more complex than ever. Even leading cybersecurity experts admit they cannot prevent every intrusion or breach. Already there are cybersecurity issues relating to mobile apps and the Internet of Things, the network of embedded electronics, software and sensors that enable the exchange of data with manufacturers, operators and/or other connected devices (e.g., internet-connected TVs, gaming consoles and learning thermostats). Experts estimate that there will be 50 billion connected devices by 2020, as well as ubiquitous unmanned aircraft systems and autonomous robots also powered by big data and network connectivity.
Understanding cybersecurity legislation and industry standards is essential because they continue to evolve. Staying informed will be a challenge—and a necessity—for every growing business.