As the White House and Congress consider new cybersecurity legislation, some middle-market companies may still be questioning whether the cybersecurity crisis is a real threat for their businesses.
The notion that a business might be too small or too boring for a cyber breach is a comforting fiction. The reality is that most cyber breaches are not the work of international criminal gangs or foreign intelligence operatives; they are attributable to the company’s own employees. Mere negligence by even a well-intentioned employee can trigger substantial investigation and response costs, and an employee who is leaving to join a competitor or who simply carries a grudge against her boss can cause substantial competitive or reputational injury. But even a company that is lucky enough to avoid ever having an actual breach may be required as a condition of doing business to provide its commercial partners assurances of adequate data security. Thus, for even the rare company that can be confident it will never attract the attention of external cyberthreats, cybersecurity is still an essential part of risk management.
For some companies, cybersecurity compliance is expressly mandated by industry-specific regulations. For example, HIPAA’s Data Security Rule is generally applicable to most healthcare providers and insurers, and the Gramm-Leach-Bliley Act imposes security standards on financial institutions. More broadly, the Payment Card Industry Data Security Standards are, by contract, binding on most companies that regularly accept payment by credit card. There are, however, many middle-market companies that are not subject to any industry-specific regulations and that do not regularly accept payment cards and may be led to the false conclusion that they are exempt from any requirements.
One of the most important lessons from the Target breach — which has been attributed at least in part to lax security by a single HVAC vendor — is that effective cybersecurity requires commercial partners with effective cybersecurity. Major public companies have responded by implementing or expanding data security requirements for their vendors and service providers. In the current environment, for many companies, cybersecurity is not just risk management; it is responsive customer service.
Another problem with the “too obscure to hack” theory is that cyberthreats sometimes are not specifically targeted to any particular business. For example, ransomware — a malware designed to shut down a computer network unless a “ransom” is paid — may be distributed broadly in the hope of finding vulnerable targets. Such malware does not discriminate based on the size or public profile of the affected business. Business disruption due to a cyberattack presents uncertain and potentially broad liability. The liability of a commercial party that breaches a customer contract because a computer virus shuts down the company’s operations has not yet been extensively litigated, but a company that has not taken reasonable efforts to prevent such an attack will be a far less sympathetic defendant for the court and the jury.
The reality is that any company that maintains electronic employee job applications and personnel files or that routinely collects and processes consumer credit applications is in possession of personally identifiable information (PII), whose unauthorized disclosure may trigger state breach-notification laws. As recently highlighted by the White House, the current state breach-notification laws can impose substantial complexity and expense. Even the most innocuous breach can require investigation and response costs and draw the scrutiny of state and federal regulators. A classic example is the laptop computer containing unencrypted personnel files that is left in the back of a taxicab. The likelihood that the data on the computer will ever be used for identity theft or other financial fraud may be relatively low, but in most instances that will not excuse the company from providing notice to the affected employees and, in many states, the state attorney general. Notice of the “breach” may then result in broader inquiry by regulators into the company’s cybersecurity generally. The cost of simply investigating and giving notice can be significant. The White House proposal to have a single national standard is a step in the right direction but will reduce these costs only at the margins. Most of these costs are driven by the basic policy decision that a breach threatening the security of individuals’ PII should be publicly disclosed and subject to investigation in the discretion of the state and federal regulators. Unless and until that basic determination changes, even minor breaches can cause big disruptions.
In short, cybersecurity is a real concern for almost all businesses. Some of these issues may be driven by overbroad government regulations, or by overcautious commercial partners, rather than the reality of a company's actual security requirements. Admittedly, the expense and disruption of implementing these cybersecurity standards may be frustrating for cost-conscious executives, but the downside risk in litigation, business disruption and loss of competitive position for most companies will at least in the aggregate far outweigh the burden of compliance.
Matthew F. Prewitt is a partner at law firm Schiff Hardin. He is chair of the firm's Cybersecurity and Data Privacy Team, co-chair of the firm’s Trade Secrets and Employee Mobility Team, and a member of the firm’s e-Discovery Committee.