The Times They Are a Changin’

Many people say that Boards are not paying enough attention to cybersecurity.

It has also been very difficult to win lawsuits that are filed to collect damages after a cyber breach due to the concept under Federal law of Article 3 standing.

But the times they are a changing, to quote Bob Dylan.

Change #1 – Under California’s new Consumer Protection Law (AB 375) due to go into effect in 2020, consumers have a private right of action in case of a breach and can collect up to $750 per person without having to show any damages – and more if they can show that it cost them more. Lose a million records; it could cost you $750,000,000.

Change #2 – Under Federal law a plaintiff has to show that they have been actually, specifically harmed in order to sue. This is called Article 3 (as in Article 3 of the US Constitution) standing. So what are lawyers doing? Suing in state court. Article 3 standing does not apply in state court (see #1 above and # below).

Change #3 – When The Walt Disney Company has its shareholder meeting next month in St. Louis they will be voting on the following shareholder resolution:

Note the resolution only asks that the Board CONSIDER adding cybersecurity and privacy metrics into senior executive’s comp plans. Disney management doesn’t want the resolution to pass because if they come back and say it is reasonable to add these metrics to executive’s comp plans and THEN actually create these metrics – well, then they could tie these executive’s paychecks to security and privacy – and negatively in the case that the company is breached. I assume that it is unlikely to pass, but who knows. (source: Secureworld expo)

And finally, change #4 – The 9th US Circuit Court of Appeals says that ” federal appellate courts have reached a near-consensus in the past few years about whether the victims of corporate data breaches meet constitutional requirements to sue.” They go on to say “the circuits courts now agree that plaintiffs need only allege an increased risk of identity theft to establish their constitutional right to sue the businesses that left their personal information vulnerable to hackers.”

The Supremes may (or may not) have the last word in this, but they have not decided if they will, yet. (Source: Reuters)

Bottom line, it is definitely becoming riskier for companies to not treat cybersecurity as a key business issue at the Board level, which also means that cyber-risk insurance is becoming more important than ever, as well.