RC: To what extent are cyber risks and related liabilities increasing for companies and their D&Os? How vulnerable are companies to attacks such as data theft and hacking, data security breaches, computer network interruptions and privacy violations?

 Kelly: Companies and D&Os face a significant risk of financial and reputational harm from data privacy breaches and cybercrime. A 2013 report by the Center for Strategic and International Studies estimated the annual cost of cybercrime to the US economy at $100bn. In 2013, the Ponemon Institute calculated that the average data breach in the US costs $5.4m. They also found that, for the first time, malicious and criminal attacks were the most frequent cause of data breaches in the US, at 41 percent, and the most costly, averaging a cost of $277 per stolen record. Employee negligence and system glitches persist as the remaining common sources of data loss. Such attacks and errors can result in significant financial penalties as a result of government investigations and enforcement actions, as well as private litigation and class actions. Perhaps even more dangerous for a company is the risk to its reputation after such a breach and the attendant media coverage. Companies need to consider and prepare for the growing likelihood of a cyber attack and data breach and take efforts to minimise their exposure and the resulting financial and reputational harm.

 RC: Could you outline the principles of today’s data privacy laws, and the demands they place on companies to implement security measures and follow notification requirements? How challenging is it for companies to maintain regulatory compliance?

 Kelly: The regulation of data privacy is a complex web of state, federal, and international law, making compliance a complicated endeavour. There are several federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Gramm-Leach-Bliley Act (GLBA) that govern various aspects of data privacy. Generally, these regulations require an array of healthcare providers, businesses and financial institutions to establish safeguards for private information and create data privacy policies. They also empower agencies to enforce these rules. In addition to the federal framework, a majority of states have enacted data breach notification laws.

Jan-Mar 2014 Issue

Governo Law Firm LLC