Cyber and Data Security Laws Continue to Evolve, and Companies’ Obligations Rise.
By Erik Dullea and Shelby Dolen
Frequent readers of this column will recall our November article discussing the risk of cybercrime for construction and roadway contractors. These risks to businesses are increasing with cybercriminals pressuring victims to pay a ransom through repeated cyberattacks, threatening to release stolen sensitive data to the public, or by disrupting the company’s role in the supply chain. In response to the increasing costs of cybercrime, federal agencies and state governments are taking steps to push companies to improve their security postures.
Paying a Ransomware Demand Runs the Risk of Federal Penalties
Regardless of the immediate pressure a company will feel to pay a ransom, the total costs of a ransomware attack generally exceed the ransom amount. A new cost in that decision making process arose last fall, when the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory that insurance companies and victims of ransomware attacks may face economic sanctions for making or facilitating ransomware payments to malicious cyber actors who have been identified as such under OFAC’s sanctions program.
Similar to MSHA citations, OFAC’s sanctions are enforced under a strict liability standard, and the sanctions for violating OFAC sanctions can be tens, if not hundreds of thousands of dollars. In 2020, the average ransomware demand for small and medium sized businesses was $5,900.00 and the highest demand was $178,000. The prospect of having to write a six-figure check to the government, after paying a ransom on either end of that spectrum should give company leaders pause. However, the compliance concerns will not end there, even if the ransom is paid to an entity that is not on OFAC’s prohibited list – in the absence of Congressional action to pass a national data privacy law, state legislators are taking the lead.
New State Laws Require More from Companies than Providing Data Breach Notifications
2018 was a milestone year for consumers, because all 50 states had finally enacted Data Breach Disclosure laws, with California being the first in 2002. These breach disclosure laws require a company to notify consumers if a data breach results in unauthorized access to the consumers’ personal data. However, notifying consumers that the horse was out of the barn so to speak was not the end of states’ legislative efforts.
The risks to every individual’s personal data has increased dramatically in recent years, and in response state legislators are taking steps to protect their constituents’ personal data by (1) requiring companies to implement reasonable security measures to safeguard this data, and (2) providing consumers with certain privacy rights such as the right to determine what data companies collect about them, to prohibit the sale of that data, and to demand the deletion of that data.
As of March 2021, 26 states had enacted laws that impose requirements on the data security practices of private sector entities. The 26 data security laws in effect today double the number of laws that were on the books in 2016. These laws generally apply to entities that own, license, maintain, or process personal data associated with a state’s residents. These entities must maintain “reasonable security measures” to protect the residents’ personal data from unauthorized access, destruction, disclosure, modification, or use. For several states, reasonable security measures are evaluated based on the size of the business and the sensitivity of the personal data.
Status of Proposed CCPA-Like State Privacy Legislation as of March 14, 2021
Notwithstanding the growing legislative push to mandate reasonable security measures in the last few years, the pace of state legislative activity over the last three months may christen 2021 as the beginning of the Data Privacy Law Era. As the description below shows, state legislatures are enacting new data privacy laws at a faster pace than during the Disclosure Law Era.
To date, 20 states have introduced data privacy bills resembling the California Consumer Privacy Act of 2018, with Virginia already enacting legislation. The chart below summarizes the status of current legislative efforts in these states. Currently these data privacy laws are focused on consumer personal data, as distinguished from employee personal data or other data categories that may be subject to other laws focused on specific industry sectors.
Please keep in mind that the contents provided below are time-sensitive and the status of the legislation discussed will likely change during 2021.
Erik Dullea is senior counsel at Husch Blackwell LLP. As a member of its Technology, Manufacturing & Transportation team, he focuses on administrative/regulatory law, with an emphasis on heavily regulated industries and government contractors.He can be reached at [email protected].
Shelby E. Dolen is staff attorney at Husch Blackwell LLP. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios. She can be reached at [email protected].