In the last two years, a lot of people asked “What is cyber law?” I used to say that it was law concerning computers, online activity, privacy, and data security and would then watch clients, who did not consider themselves in the technology field, shrug. Now, I answer that it is the law of information sharing. For businesses and clients, cyber issues tend to arise in the following circumstances:
1) Data Breaches
After a hack, you have a decision to make – were you breached? Not every hack is a data-breach. Do you have an obligation to report the breach to Louisiana State Attorney General’s Office under the Louisiana Database Breach Notification Law? If you do business in other states, do you have notification obligations in those states? How much time do you have to decide? All 50 U.S. States require, in some form, an entity to report data breaches and send notifications to affected individuals. Failure to comply with these laws could result in lawsuits/fines by 50 attorney general’s offices.
2) Sale/Purchase of Businesses
Business transactions often convey records with certain privacy protections. For example, buying or selling a medical clinic? The purchaser does not get to own the prior entity’s patient records under HIPAA’s privacy rules. Transferring patient records often requires a separate agreement and/or authorization from each patient. If the transaction will involve educational records, the buyer and seller must consider the implications and restrictions imposed by Family Educational Rights and Privacy Act.
3) Evaluating Cyber Insurance Policy
The purchase of cyber insurance is increasingly popular and there is room for negotiation. It is important to know what to ask for from the underwriter. For example, any entity seeking cyber insurance needs to demand coverage not just for itself, but also for vendor errors. Every entity should require data loss coverage, even when data is stored with a third party warranting the security of the storage. It is also strongly encouraged to seek retroactive coverage, sometimes referred to as a “tail,” to help prevent forensics delaying coverage.
4) Law Enforcement Help
Building a relationship with law enforcement is so important in cyber. Louisiana takes this relationship seriously and passed its own version of the Cybersecurity Information Sharing Act to ensure that private entities can share cyber threat information and defensive measures with certain law enforcement entities without waiving legal privileges or inviting regulation.
5) Employee Discipline
What are the limits of employee monitoring on employer networks and equipment? Am I responsible for a rogue employee? Employee policies regarding use of employer equipment and technology should be clearly explained in a handbook or agreement. As to remedies, employers must be aware that they may be vicariously liable for actions taken by employees inside of its network, so it is important to vet employees in terms of deciding who has access to what information.