Legislative and regulatory mandates relating to cybersecurity for businesses are ever increasing. This reflects a growing concern over unlawful appropriation and misuse of a company’s sensitive information about its business, intellectual property, and customers, and information of third parties with whom the company does business or has contractual relationships.
Many states already have statutes with general cybersecurity requirements for protection of personally identifiable information of individuals. In Ohio, legislation is under consideration that will likely impose standards that businesses must adopt and implement in order to avoid liability when information systems are breached. Ohio already has a statute [Ohio Rev. Code Sec. 1349.19] that imposes disclosure and notice requirements on companies whose information system has been accessed in a manner that compromises the security of personal information. Failure to comply with Sec. 1349.19 can result in civil liability. Note that any business that engages in e-commerce is subject to this statute.
Many companies are parties to contracts that specify “compliance with all laws” or that prescribe applicability of the laws of a state that is other than Ohio – so, it may not be just Ohio law. There are federal laws that impose data security requirements on certain businesses and mandate disclosure and remedial action when security has been breached. States are enacting laws or regulations that are business or industry specific. In New York, (effective March 2017) any business operating under a license, registration, permit or certification issued or required under the Banking Law, Insurance Law, or Financial Services Law of New York must meet new cybersecurity requirements. Colorado has a similar law, and other states are moving in this direction. The SEC is considering new enforcement actions for inadequate cybersecurity disclosures. Several federal agencies that use private contractors have strict cybersecurity requirements.
The imposition of data privacy and cybersecurity requirements on businesses is becoming increasingly pervasive. When the requirements are applicable, obligations for compliance and resultant liability for non-compliance, including failure to take remedial action, ensue. Additionally, there is the equally, if not more important, need for businesses to protect their intellectual property and trade secrets. Piracy, unauthorized disclosure, and misuse of these valuable assets can cause extreme financial loss to a business. Companies should; audit existing data security practices and policies, determine compliance requirements of the business, and adopt policies and protocols for data security, remediation if there is a security breach, and legal compliance. Contact one of our business attorneys should you desire assistance from our Technology Group with your cyber security and data privacy concerns.
by Jack Butler, Partner, Carlile Patchen & Murphy