Data breach regulations are a “double-edged sword.” A necessary tool in the United States, especially as children increasingly rely on digital devices and applications for education, cyber criminals weaponize these same laws to silence victims.
Citizens benefit from receiving the mandatory notifications that enable them to protect their identities following breaches of personal information. Furthermore, people seem to finally realize that personal information is collected and used commercially from a source other than a Netflix documentary. Unfortunately, cyber criminals realize that the embarrassment, business interruption, and goodwill lost from a data breach are the minor problems. The bigger problems, especially for well-known entities, come from the regulatory backlash.
This past July, a hacking group that targeted unsecured MongoDB databases not only stole and deleted victim data, but also left a ransom note threatening to report the victims for GDPR violations. According to ZDNet, almost 23,000 databases were encrypted after being left unprotected on public internet and received the following ransom note from the hackers:
"All of your data is a backed up. You must pay 0.015 BTC to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server."
While the lack of password protection is gross negligence deserving of regulatory interference, the fact that hackers are capitalizing on these regulations without lawmakers’ attention is disturbing.
With cyber criminals only becoming more organized, hackers will increasingly target businesses in states with strict and punitive data breach notification laws. Aside from states housing major industry centers (California, New York, Massachusetts, etc.) it is predicted that ransomware and malware attacks will rise in these 3, less obvious, states:
Florida: Fla. Stat. § 501.171 clearly defines a breach as the “[u]nauthorized access of data in electronic form containing personal information” and requires that notices to victim be made “as expeditiously as practicable and without unreasonable delay.” Notice to Florida’s Department of Legal Affairs within 30 days is required for breaches affecting more than 500 individuals. For breaches with more than 1,000 victims, the entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Violations for failure to comply include civil penalties up to $500,000.00.
Arizona: Ariz. Rev. Stat. § 18-551 et seq. defines breach as the “unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information[.]” Notice to victims is required within 45 days and for breaches affecting more than 1,000 citizens requires notice to the “three largest nationwide consumer reporting agencies and to the Arizona Attorney General in writing, along with a copy of the notice sent to affected individuals.” Willful violations of the statute allow the Arizona Attorney General to seek civil penalties “not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by affected individuals,” with a “maximum civil penalty from a breach or series of related breaches” of $500,000. The Attorney General is further entitled to recover restitution for affected individuals.
South Dakota: SDCL §§ 22-40-19 - 22-40-26 defines breach as “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.” Disclosures are required within 60 days and the state attorney general must be notified when a breach involves more than 250 South Dakota residents. The state attorney general may prosecute compliance failures as a deceptive act and collect a civil penalty of up to $10,000 per day (total amount uncapped), per violation, along with attorneys’ fees.
Companies doing business in or with citizens in these states should assess their cyber hygiene.