181

ONCE MORE UNTO THE BREACH: LEGAL AND ETHICAL ISSUES IN CYBERSECURITY

Brent D. Craft, J.B. Lind, Jacob D. Mahle, and Eric W. Richardson

I. RECENT BREACHES AND CURRENT CYBERSECURITY THREATS

The proliferation of Internet use has transformed business models and driveneconomic growth. But it has also introduced new threats to data security, whichcontinue to increase in frequency and magnitude. Nearly five billion records werecompromised in 2018 through over 50,000 incidents and 6,515 reported databreaches. The victims of these breaches run the gamut, affecting entities in thehealthcare industry, financial services industry, hospitality (hotels and restaurants),retail, and the public sector. In 2018, 58 percent of the victims of data breacheswere considered small businesses.

Cyberattacks have been estimated to cost the global economy more than $450billion per year. The average total cost of a data breach in 2018 was $3.86 million,with the average cost per lost or stolen record being estimated at $148. Thesecosts manifest themselves in a variety of ways:

• Detection and Escalation: Activities that allow a company to detect andreport the breach to appropriate personnel within a specified time period(e.g., forensic investigation activities, audit services, crisis teammanagement, communications).

• Notification Costs: Activities that allow the company to notify individualswho had data compromised in the breach (e.g., newsletters, telephonecalls, emails).

• Post-Data Breach Response: Processes that help affected individuals orcustomers communicate with the company and costs associated withredress and reparation with data subject regulators (e.g., legalexpenditures, credit reporting, issuing new accounts).

• Lost Business Cost: Activities associated with the cost of lost business,including customer churn, business disruption, and system downtime (e.g.,cost of business disruption, cost of lost customers, reputational loss).

A. Large Breaches in 2018

The following list illustrates the broad range of entities and industries hit bylarge breaches in 2018. The numbers listed with each breach denote thenumber of individuals affected by the breach.

1. Saks and Lord & Taylor (Retail) – 5 million (April 1, 2018).

Hacking group infected the retailers’ point-of-sale systems withmalware that was likely installed through phishing emails and stole

182

credit card numbers. The hackers announced that they planned to sell the credit card numbers on the dark web.

2. Sacramento Bee (News Service) – 19.5 million (February 7, 2018).

A hacker seized a voter registration database that the newspaperhad obtained from the state for reporting purposes, and anotherinternal database containing subscriber information. The databasesincluded names, addresses, email addresses, phone numbers,political party affiliations, dates of birth, and places of birth.

3. Timehop (Smartphone App) – 21 million (July 8, 2018).

An attacker gained access to the app’s cloud computing environ-ment, because it wasn’t protected with two-factor authentication.The breach exposed the names, email addresses, dates of birth,phone numbers, and other personal information of app users.

4. Facebook (Social Media) – 29 million (September 28, 2018).

Hackers exploited a feature of Facebook’s platform (“view as”),which allowed the hackers to steal “access tokens” that were thenused to take over users’ accounts. Included in the breach wereusers’ names, phone numbers, email addresses, and otherpersonal information collected by Facebook.

5. Panera Bread (Restaurant) – 37 million (April 2, 2018).

A reported database leak resulted in the disclosure of records forcustomers who had signed up for accounts to order food online viapanerabread.com. The leak revealed customers’ names,addresses, email addresses, dates of birth, and last four digits ofcredit card numbers. Panera disputed the reported scope of theleak (claiming that it affected only 10,000 customers) butacknowledged the security flaw that resulted in the leak.

6. Marriott (Hospitality/Hotel) – 500 million (November 30, 2018).

After being alerted to an attempted intrusion of the Starwoodreservation database, Marriott discovered an assault on itsreservation system that dated back to 2014. Through the long-termattack, hackers stole the personal information of up to 500 millionguests, including their names, addresses, phone numbers, emailaddresses, passport numbers, dates of birth, and other personalinformation.

183

B. Recent Data Breach Enforcement Actions

1. NYDFS/Equifax (June 2018).

On June 27, 2018, just days after the NYDFS announced itsfinalized regulations that extend its cybersecurity measures tocredit reporting agencies, it announced a consent order entered intowith Equifax. Equifax is required to submit to regulators a list of allplanned, in process, or implemented remediation projects; anindependent party must test the controls related to remediationefforts and report on the effectiveness of those controls. Thecompany must also provide quarterly written reports to regulatorson the progress of its compliance with the provisions of the order.NYDFS was joined in the consent order by banking regulators inAlabama, California, Georgia, Maine, Massachusetts, NorthCarolina, and Texas.

2. SEC/Voya Financial Advisors Inc. (September 2018).

In September 2018, Voya Financial Advisors Inc. (“Voya”), a broker-dealer and investment advisor, agreed to pay $1 million to settlecharges for cybersecurity failures that led to a cyber intrusion thatcompromised thousands of customers’ personal information. Thehackers infiltrated Voya’s proprietary web portal by impersonatingVoya’s contractors over a six-day period in 2016, calling Voya’ssupport line and requesting that the contractors’ passwords bereset. The hackers used the new passwords to gain access to thepersonal information of 5,600 Voya customers. The improperlyaccessed customer information was then used to create new onlinecustomer profiles and to obtain unauthorized access to accountdocuments for three customers.

The SEC charged Voya with violating Regulation S-P or theSafeguards Rule and the Identity Theft Red Flags Rule, which aredesigned to protect confidential customer information and protectcustomers from the risk of identity theft. The SEC also stated thatVoya failed to adopt written policies and procedures reasonablydesigned to protect customer records and information, as well asfailing to develop and implement a written Identity Theft PreventionProgram. The SEC’s order also found that Voya’s failure toterminate the hackers’ access to its portal and systems resultedfrom weaknesses in Voya’s cybersecurity procedures, some ofwhich had been exposed during prior similar attacks. The SEC alsofound that Voya failed to apply its cybersecurity procedures to thesystems used by its independent contractors.

This was the first SEC enforcement action charging violations of theIdentity Theft Red Flags Rule. According to Robert Cohen, chief ofthe SEC Enforcement Division’s Cyber Unit, this case serves as “areminder to brokers and investment advisors that cybersecurityprocedures must be reasonably designed to fit their specific

184

business models,” and “[t]hey also must review and update the procedures regularly to respond to changes in the risks they face.”

C. High-Dollar Data Breach Settlements in 2018

As noted above, high-volume data breaches and violations of data securityand notification requirements come with significant costs. Below are just afew of the high-dollar settlements from 2018 and early 2019 that areassociated with cybersecurity and data breach issues.

1. Uber – $148 million.

In September 2018, following an investigation by the FTC, Uberagreed to pay a record settlement of $148 million to settle issuesassociated with a 2016 data breach that involved (1) the theft ofover 57 million customers’ personal data; and (2) Uber’ssubsequent attempts to pay the hackers for deletion of the data andtheir silence, rather than properly reporting the breach.

2. Anthem – $115 million.

In 2018, a federal district court in California approved a $115 millionsettlement by Anthem to resolve several class actions resultingfrom the theft of Anthem plan members’ names, dates of birth,health insurance information, Social Security numbers, and otherdata elements.

3. Yahoo! – $85 million.

In October 2018, Yahoo agreed to pay $85 million in damages andattorney fees to settle the breach of its email service in 2013.However, in January 2019, a federal judge denied approval of thesettlement, stating that the lack of details regarding the total amountof the settlement rendered it insufficient.

4. Experian – $22 million.

In January 2019, Experian reached a settlement in the amount of$22 million to resolve a consolidated class action regarding abreach of its systems in 2015.

D. Data Breach/Cybersecurity Threats and Technological Trends

Data breaches occur through the use of a variety of methods, all of whichrepresent significant threats to any business, entity, or individual whotransmits or receives sensitive, personal, and/or confidential information.These threats come in many forms – physical devices, hacking, malicioussoftware – and cybercriminals are constantly working to enhance theirtechniques to evade the security measures that are developed to addressthese threats.

185

1. Physical threats.

Skimmers and shimmers physically copy credit, ATM and debit cardinformation. These devices can be bought online – there is a lowbarrier to entry for those seeking to obtain personal data throughthe use of these devices. Shimmers, wafer-thin versions ofskimmers, represent cybercriminals’ solution to the security chipintegrated into credit cards.

As awareness of the threat posed by skimmers and shimmers hasincreased, data thieves are developing new methods by which theycan steal payment information at points of sale. Fraudsters willsometimes install pinhole-sized cameras in brochure holders, lightbars, mirrors or speakers on ATMs to gather PIN details as they areentered. Once the fraudsters collect the PINs and the cardnumbers, they have enough information to compromise the cards.Some cyber thieves will also use keypad overlays to capture PINnumbers as they are entered. Through Bluetooth technology, thecybercriminals can receive and download the captured video,images, and information from a short distance away.

2. Hacking.

Hacking still represents the most commonly used tactic to breachsystems and steal personal information and payment data – 57percent of the data breaches in 2018 featured some form ofhacking. Below are some of the newer methods that hackers areusing to obtain personal data and payment information.

a. Formjacking.

Formjacking is essentially a virtual skimming technique inwhich hackers use malicious JavaScript code to steal creditcard details and other information from payment forms onthe checkout web pages of eCommerce sites.

The use of this hacking technique trended upward in 2018.Nearly 5,000 unique websites were compromised withformjacking code every month in 2018. With data from asingle credit card being sold for up to $45 on undergroundmarkets, just 10 credit cards stolen from compromisedwebsites could result in a yield of up to $2.2 million for cybercriminals each month. The appeal of formjacking for cybercriminals is clear.

b. Trojan horses.

Computer Trojan horses are a class of infiltrations thatattempt to present themselves as useful programs, whichtricks users into downloading and letting them run. Theirsole purpose is to infiltrate as unsuspiciously and easily as

186

possible so as to avoid detection. “Trojan horse” denotes a very broad category of malicious programs, and it is often divided into many subcategories.

• Downloader – A malicious program with the ability todownload other infiltrations from the Internet.

• Dropper – A type of Trojan horse designed to dropother types of malware onto compromisedcomputers.

• Backdoor – An application which communicates withremote attackers, allowing them to gain access to asystem and to take control of it.

Trojan horses usually take the form of executable files, and we are beginning to see them show up in Smartphone Apps. A prime example is a Trojan horse officially named Android.TechnoReaper, which hides under several “legit” Android apps that supposedly allow users to deploy several font types not usually found on their smartphones. Users agree to download and install a simple font right from the menu of the app, but the actual download redirects the link towards a spyware app, hosted on a private server. Thus, without their explicit permission, users would indeed install the desired font but also, a dangerous spyware program.

c. Artificial intelligence (“AI”).

Hackers are beginning to use Artificial intelligence (“AI”) toenhance their hacking techniques and broaden their reach.

An example is spear phishing, which uses carefully targeteddigital messages to trick people into installing malware orsharing sensitive data. Hackers use machine-learningmodels to better match humans in crafting convincing fakemessages (e.g., emails that appear to be from employersand/or co-workers). AI programs can also be used tocontinuously produce and send these spear-fishing emailson an automated basis, thereby blanketing organizations ona more widespread basis and at a faster rate.

Hackers also use AI to help design malware that is capableof evading “sandboxes,” or security programs designed tospot rogue code before it is deployed in companies'systems.

187

3. Ransomware/denial-of-service attacks.

Ransomware attacks run malicious software designed to blockaccess to a computer system until a sum of money is paid. Denial-of-service (DOS) attacks flood the system with additional traffic thatoverload it and make it unavailable. A number of hospitals havebeen hit as targets that require immediate action to recoverservices.

• Examples of recent “ransomware/DOS” attacks:

o East Ohio Regional Hospital (EORH) (Harper’sFerry, OH) and Ohio Valley Medical Center (OVMC)(Wheeling, WV) (November 2018).

Ransomware attack affected the hospitals’ systemsover the course of two days. During this time, thehospitals were forced to limit emergency roomadmissions to walk-up patients only and sendpatients to nearby hospitals. In order to address andremove the software, and as a precautionarymeasure to limit the spread of the malware, thehospitals’ systems were taken offline and staffswitched to paper charting to keep patientinformation secure.

o GitHub (February 2018).

GitHub – a popular online code management serviceused by millions of developers – was the victim of aDOS attack in which its servers were flooded withdata traffic that took down its systems. The attackersused a strategy known as memcaching, in which aspoofed request is delivered to a vulnerable serverthat then floods a targeted victim with amplifiedtraffic. Memcached databases are commonly usedto help speed up websites and networks but haverecently been weaponized by DOS attackers.

o Dutch banks ABN AMRO, ING and Rabobank(January 2018).

Three Dutch banks were simultaneously hit by aDOS attack, which resulted in timed-out websitesand slowed response times. The attack specificallyaffected the banks’ mobile and internet bankingsystems, which ran extremely slowly or becameentirely unavailable. The same DOS attack also hitthe Dutch national tax office, which went dark forabout five to 10 minutes.

188

Data security experts believe that cloud computing businesses, which house significant amounts of data for companies, are becoming bigger targets for ransomware and DOS attackers. The biggest cloud operators, like Google, Amazon, and IBM, have a wealth of resources and large data security departments at their disposal, but smaller data storage companies are likely to be more vulnerable to attacks that could bring their entire business to a halt by blocking customers’ access to their stored information.

4. Carelessness.

Weak passwords make for easy targets. Up to 80 percent of all databreaches are attributed to stolen or weak passwords. In 2017, ahacker was infamously able to breach the system of Hacking Team,an IT security firm, by exploiting an engineer whose password was“P4ssword.”

Some of the most common passwords of 2018 included:

123456 Password 123456789 12345678 12345 111111 1234567 sunshine qwerty

Iloveyou princess admin welcome 666666 abc123 football 123123

monkey 654321 !@#$%^&* charlie aa123456 Donald password1 qwerty123

II. EMERGING LEGAL TRENDS

A. Data Breach Notification Laws

After South Dakota and Alabama passed laws in 2018, all 50 states havedata breach notification laws, along with U.S. Territories such as PuertoRico, Guam, and the U.S. Virgin Islands. These laws define whatconstitutes a breach and what constitutes personally identifiableinformation – important definitions that typically trigger requirements underthe law. Further, the laws define safe harbors, notification methods, theparties to whom notification should be made (e.g., consumers, lawenforcement, state AG, regulators), and enforcement/penalty provisions.

1. Kentucky Notification Law, KRS 365.732.

The Kentucky Notification Law (KRS 365.732) became effective inJuly 2014. KRS 365.732(1)(b)-(c) defines information holder as“any person or business entity that conducts business in this state.”It also defines “Personally Identifiable Information” as a person’sfirst name/first initial and last name in combination with one or moreother element such as: Social Security number, driver’s license

189

number, account number or credit or debit card number in conjunction with any required security code, access code, or password.

KRS 365.732(1)(a) defines a breach as an “unauthorized acquisition” of “unencrypted and unredacted data” that “compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder” AND “actually causes, or leads the information holder to reasonably believe has caused or will cause, identify theft or fraud against any resident.”

Disclosure must be made “following discovery or notification of the breach, to any resident of Kentucky whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” KRS 365.732(2). Disclosure must be made “in the most expedient time possible and without unreasonable delay.” Id. Delay may be permissible if law enforcement determines notification will “impede criminal investigation.” KRS 365.732(4). If more than 1,000 persons must be notified at one time, the information holder must also notify all consumer reporting agencies and credit bureaus. KRS 365.732(7).

Notification may be provided through written notice or electronic notice if consumers have consented to receiving such notice consistent with the requirements of 15 U.S.C. §7001. KRS 365.732(5). Also, if cost of notice exceeds $250,000 or a class of people is greater than 500,000, substitute service can be made by email, conspicuous posting on a website, or through major statewide media. Id.

Kentucky’s Notification Law does not include enforcement mechanisms, penalties, or allow for a private right of action. Plaintiffs must rely on separate statutory or common law remedies to bring claims for violating the law. See Savidge v. Pharm-Save, Inc., No. 3:17-CV-00186-TBR, 2017 U.S. Dist. LEXIS 197635, 2017 WL 5986972 (W.D. Ky. Dec. 1, 2017).

Notably, Kentucky’s House Standing Committee on Small Business and Information Technology took up consideration in February 2019 of revising Kentucky’s data breach laws.

2. Personal Information Security and Breach Investigation Proceduresand Practices Act, KRS 61.931-61.934.

Existing law, enacted Jan. 1, 2015, requires agencies of Kentuckystate and local governments to implement policies and proceduresto protect confidential, sensitive personal information and to notifyindividuals if their information has been compromised. Within 72hours of a breach, appropriate parties must be notified, whichinclude the Commissioner of the Kentucky State Police, Auditor of

190

Public Accounts, and the Attorney General. The agency also must conduct a reasonable and prompt investigation to determine whether the breach “has resulted in or is likely to result in the misuse of personal information.”

After investigation, if it is determined that a breach occurred, the agency must provide notice to affected individuals within 35 days. As with the Kentucky Notification Law, notice shall not be made if it would impede a criminal investigation. Notice is not required for personal information that was/is: redacted, disclosed to a government entity, publicly available, consented to be made available, or in a court document.

The Attorney General may bring an action in Franklin Circuit Court against any agency for injunctive relief and/or legal remedies to enforce this law, but it does not create a private right of action.

Agencies also must establish and implement “reasonable security and breach investigation procedures and practices,” which must be written and in accordance with policies of the Commonwealth Office of Technology. Legislative and judicial branches of the government must also implement reasonable security breach investigation procedures and practices, including taking appropriate corrective action to safeguard against such breaches.

3. Recent revisions and amendments to data breach notification laws.

a. Trend towards more stringent notification laws.

In 2018, several states joined a growing trend by revisingtheir notification laws to include explicit deadlines fornotifying affected individuals, as opposed to simplyrequiring that entities do so without unreasonable delay.For example, Colorado enacted a 30-day deadline fornotifying affected individuals while Alabama, Arizona, andOregon all passed legislation requiring notification within45 days of discovery of a breach, and Louisiana and SouthDakota implemented a 60-day deadline.

b. Recent overhaul of Massachusetts notification law.

States have begun enacting increasingly stringentnotification laws. Once new requirements are imposed inone state, they soon spread to other states as legislaturescontinue to expand the protections available to theirresidents and to add obligations to entities that hold theirresidents’ personal information.

For example, Massachusetts recently amended its databreach notification law, expanding the information that mustbe reported to Massachusetts regulators in connection with

191

a data breach involving the personal information of Massachusetts residents, imposing new requirements on compromised entities, and adding clarification to when entities are required to issue notice of a breach. These changes took effect on April 11, 2019. The changes to the Massachusetts data breach notification law are novel in nature and represent a trend toward more stringent requirements that could be adopted by more states as the threat of data breaches continue to increase.

Under the amendment, entities that have experienced a data breach involving the personal information of Massachusetts residents are required to inform the Massachusetts Office of the Attorney General and the Office of Consumer Affairs and Business Regulation “whether the person or agency maintains a written information security program” (WISP). Existing Massachusetts law requires “[e]very person that owns or licenses personal information about a resident of the Commonwealth [to] develop, implement, and maintain a comprehensive information security program.” 201 CMR §17.03(1). This new requirement will provide Massachusetts regulators with a mechanism to penalize entities who have failed to implement a compliant WISP.

Additionally, Massachusetts is now the fourth state to require companies to provide free credit monitoring services to affected individuals in data breaches involving Social Security numbers. California and Delaware require at least one year of credit monitoring services when Social Security numbers are compromised, Connecticut requires two years, and Massachusetts now requires 18 months. Interestingly, in the wake of recent breaches at credit reporting agencies, the amendment requires breached credit reporting agencies to provide 42 months of free credit monitoring services when Social Security numbers are involved. Further, affected individuals cannot be required to waive their right to a private right of action as a condition to receive the credit monitoring services.

The amendment also changes the contents required in breach notifications. For example, companies must now disclose to Massachusetts regulators the types of personal information compromised in the breach. Companies must also inform affected residents that they have the right to place a security freeze on their credit reports at no charge. Additionally, if a subsidiary is breached, the notification to affected residents must now include the name of the parent or affiliated corporations.

192

Finally, the amendment clarifies that notice cannot be delayed on grounds that the total number of residents affected by the breach is not yet known. Rather, companies must give notice “as soon as practicable and without unreasonable delay” once an entity “knows or has reason to know” of a breach of a resident’s personal information.

B. Ohio Data Protection Act

On August 3, 2018, Governor John Kasich signed Senate Bill 220, alsoknown as the Ohio Data Protection Act (O.R.C. §1354). Under the Act,eligible organizations may rely on their conformance to certaincybersecurity frameworks as an affirmative defense against tort claims indata breach litigation. The Act is intended to provide organizations with alegal incentive to implement written cybersecurity programs.

In order to qualify for this new defense, the organization must implement awritten cybersecurity program designed to (1) protect the security andconfidentiality of personal information; (2) protect against anticipatedthreats or hazards to the security or integrity of personal information; and(3) protect against unauthorized access to and acquisition of personalinformation that is likely to result in a material risk of identity theft or fraud.The scale of the cybersecurity program should be appropriate to theorganization based on its size and complexity, the nature and scope of itsactivities, the sensitivity of the personal information protected under theprogram, the cost and availability of tools to improve its informationsecurity, and the resources available to the organization.

Additionally, the organization’s cybersecurity program must “reasonably conform” to one of the following cybersecurity frameworks:

• National Institute of Standards and Technology’s (NIST) Cybersecurity Framework;

• NIST special publication 800-171, or 800-53 and 800-53a;

• Federal Risk and Authorization Management Program’s SecurityAssessment Framework;

• Center for Internet Security’s Critical Security Controls for EffectiveCyber Defense;

• International Organization for Standardization (ISO)/InternationalElectrotechnical Commission’s (IEC) 27000 Family – InformationSecurity Management Systems Standards.

For organizations that accept payment cards, their cybersecurity programs must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS) to qualify for the affirmative defense. Similarly, organizations subject to certain state or federally mandated security

193

requirements may also qualify, such as the security requirements in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).

The legislation expressly states that it does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Rather, it seeks “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”

This law will be the first in the nation which incentivizes businesses to implement certain cybersecurity controls by providing them with an affirmative defense. Many of the specified frameworks, like NIST, do not have a standard certification process, so proving that a security program conforms to the applicable framework may be difficult in some circum-stances.

C. Equifax and Associated Legislation

The May-July 2017 Equifax breach compromised 147.9 million Americans’names, Social Security numbers, birth dates, addresses, and driver’slicense numbers. The breach affected 40 percent of Kentucky families. Itprompted the attorneys general in various states to submit proposals forstrengthening data breach protections and remedial measures.

One such measure was signed into law by Governor Bevin on March 30,2018. House Bill 46 amended KRS 367.365 to allow for security freezesto be requested by methods established by consumer reporting agencies,and to allow consumers to request a replacement personal identificationnumber or password in the same manner as the original security freezerequest. The law became effective immediately, as the text notes thatsecurity breaches and the risk of identity theft are on the rise.

On March 29, the Colorado governor signed HB 1233, which authorizes aparent or legal guardian to request a credit reporting agency place asecurity freeze on a protected consumer’s credit file. The law defines“protected person” to include a minor under 16 years of age or an individualwho is a ward of the legal guardian. According to HB 1233, if no credit fileexists for the protected consumer, the credit reporting agency is requiredto create a record and then initiate the security freeze on such recordwithout charge. Additionally, among other things, the law prohibits thecharging of a fee for the “placement, temporary lift, partial lift, or removal ofa security freeze” on a protected consumer’s credit file and allows for aprotected consumer to remove the security freeze if they demonstrate therepresentative’s authority is no longer valid. HB 1233 became effective onJanuary 1, 2019.

194

D. California Consumer Privacy Act of 2018

The California Consumer Privacy Act (“CCPA”) was enacted on June 28,2018 and further amendments to the CCPA were enacted on September23, 2018. The CCPA becomes effective on January 1, 2020.

The key components of the CCPA include new consumer rights as well asnew compliance obligations for covered businesses. Consumers areprovided the right to obtain their personal information collected bybusinesses in the prior 12 months and are entitled to know the categoriesof personal information collected, sold, and disclosed by the business, thecategories of third-party recipients who received the personal information,and the uses of the consumer’s personal information. Consumers arefurther afforded the right to obtain deletion of personal information and toopt-out of the sale of personal information. On the compliance side,businesses are required to assess and document data practices related tothe collection, disclosure, and use of personal information and to publishspecific contact information to allow consumers to exercise their rights.

The act broadly applies to “businesses,” defined to include any for profitlegal entity (e.g., corporation, partnership, LLC) that does business in theState of California, that collects consumers’ personal information, and thatmeets one of the following thresholds:

• Has gross revenue in excess of $25,000,000;

• Buys, receives, or sells for commercial purposes the personalinformation of 50,000 or more consumers, households, or devices;or

• Derives 50 percent or more of its revenue from selling consumers’personal information

See Cal. Civ. Code §1798.140(c).

The CCPA also broadly defines “Personal information” and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” See Cal. Civ. Code §1798.140(o).

The Act creates a private right of action for any consumer whose “nonencrypted or nonredacted” personal information is subject to unauthorized access and exfiltration “as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate…to protect the information.” See Cal. Civ. Code §1798.150(a)(1). Specifically, under the Act, an affected consumer mayinstitute a civil action to recover:

195

• Actual damages, or statutory damages between $100 and $750 (1)per consumer and (2) per incident, whichever is greater;1

• Injunctive and declaratory relief; and

• Any other relief the court deems proper.

See Cal. Civ. Code §1798.150(a)(1)(A)-(C). This section of the Act recognizes the ability of a consumer to bring a civil action individually, or on a class-wide basis, if certain notice requirements are met. See Cal. Civ. Code §1798.150(b).

In addition to a private right of action, the CCPA also provides for administrative enforcement with penalties up to $2,500 ($7,500 if intentional) per violation. See Cal. Civ. Code §1798.155(b).

E. European Union (EU) General Data Protection Regulation (GDPR)

The EUGDPR was approved by EU Parliament on April 14, 2016, andreplaces the former Data Protection Directive. The regulatory scheme hasthe goal of harmonizing data privacy across the EU and updating the priordirective, which was issued in 1995. The comprehensive regulation is abinding act that must be followed in its entirety by all organizations thatprocess EU residents’ personal data, regardless of location.Enforcement began on May 25, 2018.

The EUGDPR covers and contains a broad definition of “Personal Data.”Under the regulation, “Personal Data” is any data related to a naturalperson that can be used to directly or indirectly identify that person. Thisincludes a person’s:

• Name

• Email address

• Social network posts

• Uploads of images

• IP address

The EUGDPR establishes a number of rights with regard to persons and their data. These rights include:

1 The average data breach in the United States compromises approximately 31,465 records. See https://www.ibm.com/security/data-breach. With statutory damages between $100 and $750, a breach of California-based consumer records could cost between $3.15 million and $23.6 million in statutory damages alone.

196

• Right to be forgotten: the right to require an organization to deletean individual's personal data without undue delay

• Right to object: the right to prohibit certain data uses

• Right to rectification: the right to require that incomplete data becompleted or that incorrect data be corrected

• Right of access: the right to know what data about the individual isbeing processed and how

• Right of portability: the right to request that personal data held byone organization be transported to another organization

These rights must be accommodated by “data controllers,” which the regulation defines as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

The EUGDPR establishes a number of data security requirements with which data controllers and data processors must comply. A data processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The default rule under the EUGDPR security requirements is that data controllers and data processors should ensure that only personal data necessary for each specific purpose of processing is actually processed. Factors to be considered when determining compliance with this default rule include:

• Amount of personal data collected

• Extent to which personal data is processed

• Duration personal data is stored

• Access controls around personal data

Controllers and processors are required to “implement appropriate technical and organizational measures” that take into account “the state of the art and costs of implementation” and nature of the processing and risks presented. Thus, controllers and processors must stay abreast of technological advancements, techniques, and risks in the area of data security, and be able to implement security actions that appropriately address and respond to risks as they emerge. The regulation includes several specific suggestions as to the types of security actions that might be considered “appropriate to the risk,” including:

197

• Pseudonymization and encryption of personal data;

• Ensure the ongoing confidentiality, integrity, availability andresilience of processing systems and services;

• Ability to restore the availability and access to personal data in atimely manner; and

• Establishment and maintenance of a process for regularly testing,assessing and evaluating the effectiveness of technical andorganizational security measures.

The EUGDPR also contains breach notification provisions and require-ments. Under these provisions, as “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

In the event of a “personal data breach,” notice must be provided to the applicable Data Protection Authorities (DPAs), which are the independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. A DPA exists in each EU Member State. Notice to the appropriate DPAs must occur “without undue delay and, where feasible, not later than 72 hours” after discovery of the breach. If there is a delay in providing notice, the covered entity must provide a “reasonable justification” for the delay. Notice, however, is not required where the breach is unlikely “to result in a risk to the rights and freedoms of natural persons.”

Notification to appropriate DPAs must include the following pieces of information:

• The nature of the personal data breach, including the number andcategories of data subjects and personal data records affected;

• The data protection officer’s contact information;

• A description of the likely consequences of the personal databreach; and

• How the controller proposes to address the breach, including anymitigation efforts.

In certain circumstances, the EUGDPR requires the appointment of a Data Protection Officer (“DPO”). The appointment of a DPO is required in three specific cases:

• Where the processing is carried out by a public authority or body;

198

• Where the core activities of the controller or the processor consistof processing operations, which require regular and systematicmonitoring of data subjects on a large scale; or

• Where the core activities of the controller or the processor consistof processing on a large scale of special categories of data orpersonal data relating to criminal convictions and offences.

The main role of a DPO is to assist and advise data processors and controllers regarding GDPR compliance. DPOs must be suitably qualified and report directly to the organization’s senior management. DPOs are also responsible for being the organization’s liaison with government officials. DPOs are also required to keep a register of all processing activities that involve personal data performed by the institution. The register must include explanatory information on the purpose of the processing operations and must be generally accessible within the organization and to regulators.

The EUGDPR also contains a fine structure for violations of the regulation’s requirements. Under the EUGDPR, there are two tiers of administrative fines for non-compliance:

• Lower Level: Up to €10 million, or 2 percent of the worldwide annualrevenue of the prior financial year, whichever is higher, shall beissued for infringements of:

o Controllers and processors under Articles 8, 11, 25-39, 42,43.

o Certification body under Articles 42, 43.

o Monitoring body under Article 41(4).

• Upper Level: to €20 million, or 4 percent of the worldwide annualrevenue of the prior financial year, whichever is higher, shall beissued for infringements of:

o The basic principles for processing, including conditions forconsent, under Articles 5, 6, 7, and 9.

o The data subjects’ rights under Articles 12-22.

o The transfer of personal data to a recipient in a third countryor an international organization under Articles 44-49.

o Any obligations pursuant to Member State law adoptedunder Chapter IX.

o Any non-compliance with an order by a supervisoryauthority (83.6).

199

In determining the tier and ultimate amount of the fine, member supervisory authorities use and consider the following criteria:

• Nature of infringement: number of people affected, damages theysuffered, duration of infringement, and purpose of processing.

• Intention: whether the infringement is intentional or negligent.

• Mitigation: actions taken to mitigate damage to data subjects.

• Preventative measures: how much technical and organizationalpreparation the firm had previously implemented to prevent non-compliance.

• History: (83.2e) past relevant infringements, which may beinterpreted to include infringements under the Data ProtectionDirective and not just the GDPR, and (83.2i) past administrativecorrective actions under the GDPR, from warnings to bans onprocessing and fines.

• Cooperation: how cooperative the firm has been with thesupervisory authority to remedy the infringement.

• Data type: what types of data the infringement impacts; see specialcategories of personal data.

• Notification: whether the infringement was proactively reported tothe supervisory authority by the firm itself or a third party.

• Certification: whether the firm had qualified under approvedcertifications or adhered to approved codes of conduct.

• Other: other aggravating or mitigating factors may include financialimpact on the firm from the infringement.

The EUGDPR also grants a private right of action for persons who suffer “material or non-material damage” as a result of GDPR violation, which would include actions for pain and suffering and collective claims.

III. ETHICS RULES RELATING TO CYBERSECURITY THREATS, LAWS, ANDISSUES

A number of ethics rules are applicable to the quickly evolving cybersecuritylandscape. The rapid pace at which new cybersecurity threats appear, the frequentpassage and implementation of new cybersecurity statutes and regulations, andthe short time frames in which clients and their attorneys must act in the event ofa data breach implicate and highlight several ethical duties imposed by theKentucky Rules of Professional Conduct. These include the duties of competence,diligence, communication, confidentiality, and safekeeping of client property.

200

Further, law firms are ethically required to ensure that their attorneys are observing and complying with these ethical requirements.

Below are the Kentucky Rules of Professional Conduct and associated commentary that are particularly important in the context of cybersecurity and data breach issues. The requirements of these rules make it necessary for attorneys and law firms to stay abreast of cybersecurity laws and regulations, maintain policies and procedures to protect confidential client data and information from unauthorized access and disclosure, and act quickly in the event of a data breach.

A. Rule 1.1 Competence

“A lawyer shall provide competent representation to a client. Competentrepresentation requires the legal knowledge, skill, thoroughness andpreparation reasonably necessary for the representation.”

Relevant commentary:

Thoroughness and Preparation

(5) Competent handling of a particular matter includesinquiry into and analysis of the factual and legal elements ofthe problem, and use of methods and procedures meetingthe standards of competent practitioners. It also includesadequate preparation. The required attention andpreparation are determined in part by what is at stake; majorlitigation and complex transactions ordinarily require moreextensive treatment than matters of lesser complexity andconsequence. An agreement between the lawyer and theclient regarding the scope of the representation may limitthe matters for which the lawyer is responsible. See Rule1.2(c).

Maintaining Competence

(6) To maintain the requisite knowledge and skill, a lawyershould keep abreast of changes in the law and its practice,including the benefits and risks associated with relevanttechnology, engage in continuing study and education andcomply with all continuing legal education requirements towhich the lawyer is subject.

B. Rule 1.3 Diligence

“A lawyer shall act with reasonable diligence and promptness inrepresenting a client.”

Relevant commentary:

(3) Perhaps no professional shortcoming is more widelyresented than procrastination. A client's interests often can

201

be adversely affected by the passage of time or the change of conditions; in extreme instances, as when a lawyer overlooks a statute of limitations, the client's legal position may be destroyed. Even when the client's interests are not affected in substance, however, unreasonable delay can cause a client needless anxiety and undermine confidence in the lawyer's trustworthiness.

C. Rule 1.4 Communication

(a) A lawyer shall:

(1) promptly inform the client of any decision orcircumstance with respect to which the client's informedconsent, as defined in Rule 1.0(e), is required by theseRules;

(2) reasonably consult with the client about the means bywhich the client's objectives are to be accomplished;

(3) keep the client reasonably informed about the status ofthe matter;

(4) promptly comply with reasonable requests forinformation; and

(5) consult with the client about any relevant limitation onthe lawyer's conduct when the lawyer knows that the clientexpects assistance not permitted by the Rules ofProfessional Conduct or other law.

(b) A lawyer shall explain a matter to the extent reasonablynecessary to permit the client to make informed decisionsregarding the representation.

Relevant commentary:

(3) Paragraph (a)(2) requires the lawyer to reasonablyconsult with the client about the means to be used toaccomplish the client's objectives. In some situations –depending on both the importance of the action underconsideration and the feasibility of consulting with the client– this duty will require consultation prior to taking action. Inother circumstances, such as during a trial when animmediate decision must be made, the exigency of thesituation may require the lawyer to act without priorconsultation. In such cases the lawyer must nonetheless actreasonably to inform the client of actions the lawyer hastaken on the client's behalf. Additionally, paragraph (a)(3)requires that the lawyer keep the client reasonably informedabout the status of the matter, such as significant

202

developments affecting the timing or the substance of the representation.

(5) The client should have sufficient information toparticipate intelligently in decisions concerning theobjectives of the representation and the means by whichthey are to be pursued, to the extent the client is willing andable to do so. Adequacy of communication depends in parton the kind of advice or assistance that is involved. Forexample, when there is time to explain a proposal made ina negotiation, the lawyer should review all importantprovisions with the client before proceeding to an agree-ment. In litigation a lawyer should explain the generalstrategy and prospects of success and ordinarily shouldconsult the client on tactics that are likely to result insignificant expense or to injure or coerce others. On theother hand, a lawyer ordinarily will not be expected todescribe trial or negotiation strategy in detail. The guidingprinciple is that the lawyer should fulfill reasonable clientexpectations for information consistent with the duty to actin the client's best interests, and the client's overallrequirements as to the character of representation. Incertain circumstances, such as when a lawyer asks a clientto consent to a representation affected by a conflict ofinterest, the client must give informed consent, as definedin Rule 1.0(e).

D. Rule 1.6 Confidentiality of Information

(a) A lawyer shall not reveal information relating to therepresentation of a client unless the client gives informedconsent, the disclosure is impliedly authorized in order tocarry out the representation or the disclosure is permitted byparagraph (b).

(b) A lawyer may reveal information relating to therepresentation of a client to the extent the lawyer reasonablybelieves necessary:

(1) to prevent reasonably certain death or substantial bodilyharm;

(2) to secure legal advice about the lawyer's compliancewith these Rules;

(3) to establish a claim or defense on behalf of the lawyer ina controversy between the lawyer and the client, to establisha defense to a criminal charge or civil claim against thelawyer based upon conduct in which the client was involved,or to respond to allegations in any proceeding, including a

203

disciplinary proceeding, concerning the lawyer's representation of the client; or

(4) to comply with other law or a court order.

Relevant commentary:

(14) A lawyer must act competently to safeguard informationrelating to the representation of a client against inadvertentor unauthorized disclosure by the lawyer or other personswho are participating in the representation of the client orwho are subject to the lawyer's supervision. See Rules 1.1,5.1 and 5.3.

(15) When transmitting a communication that includesinformation relating to the representation of a client, thelawyer must take reasonable precautions to prevent theinformation from coming into the hands of unintendedrecipients. This duty, however, does not require that thelawyer use special security measures if the method ofcommunication affords a reasonable expectation of privacy.Special circumstances, however, may warrant specialprecautions. Factors to be considered in determining thereasonableness of the lawyer's expectation of confidentialityinclude the sensitivity of the information and the extent towhich the privacy of the communication is protected by lawor by a confidentiality agreement. A client may require thelawyer to implement special security measures not requiredby this Rule or may give informed consent to the use of ameans of communication that would otherwise be prohibitedby this Rule.

E. Rule 1.15 Safekeeping Property

(a) A lawyer shall hold property of clients or third personsthat is in a lawyer's possession in connection with arepresentation separate from the lawyer's own property.Funds shall be kept in a separate account maintained in thestate where the lawyer's office is situated, or elsewhere withthe consent of the client, third person, or both in the eventof a claim by each to the property. The separate accountreferred to in the preceding sentence shall be maintained ina bank which has agreed to notify the Kentucky BarAssociation in the event that any overdraft occurs in theaccount. Other property shall be identified as such andappropriately safeguarded. Complete records of suchaccount funds and other property shall be kept by the lawyerand shall be preserved for a period of five years aftertermination of the representation.

204

(b) Upon receiving funds or other property in which a clienthas an interest, a lawyer shall promptly notify the client.Except as stated in this Rule or otherwise permitted by lawor by agreement with the client a lawyer shall promptlydeliver to the client any funds or other property that the clientis entitled to receive and, upon request by the client, shallpromptly render a full accounting regarding such property.

(c) When in the course of representation a lawyer is inpossession of funds or other property in which the lawyerand client claim interests and are not in agreementregarding those interests, the funds or other property indispute shall be kept separate by the lawyer until the disputeis resolved. The lawyer shall promptly distribute all portionsof the funds or other property in which the interests are notin conflict.

F. Rule 5.1 Responsibilities of a Partner or Supervisory Lawyer

(a) A partner in a law firm, and a lawyer who individually ortogether with other lawyers possesses comparablemanagerial authority in a law firm, shall make reasonableefforts to ensure that the firm has in effect measures givingreasonable assurance that all lawyers in the firm conform tothe Rules of Professional Conduct.

(b) A lawyer having direct supervisory authority over anotherlawyer shall make reasonable efforts to ensure that theother lawyer conforms to the Rules of Professional Conduct.

(c) A lawyer shall be responsible for another lawyer'sviolation of the Rules of Professional Conduct if:

(1) the lawyer orders or, with knowledge of the specificconduct, ratifies the conduct involved; or

(2) the lawyer is a partner or has comparable managerialauthority in the law firm in which the other lawyer practices,or has direct supervisory authority over the other lawyer,and knows of the conduct at a time when its consequencescan be avoided or mitigated but fails to take reasonableremedial action.

Relevant commentary:

(1) Paragraph (a) applies to lawyers who have managerialauthority over the professional work of a firm. See Rule1.0(c). This includes members of a partnership, theshareholders in a law firm organized as a professionalcorporation, and members of other associations authorizedto practice law; lawyers having comparable managerial

205

authority in a legal services organization or a law department of an enterprise or government agency; and lawyers who have intermediate managerial responsibilities in a firm. Paragraph (b) applies to lawyers who have supervisory authority over the work of other lawyers in a firm.

(2) Paragraph (a) requires lawyers with managerial authoritywithin a firm to make reasonable efforts to establish internalpolicies and procedures designed to provide reasonableassurance that all lawyers in the firm will conform to theRules of Professional Conduct. Such policies andprocedures include those designed to detect and resolveconflicts of interest, identify dates by which actions must betaken in pending matters, account for client funds andproperty and ensure that inexperienced lawyers areproperly supervised.