Data breaches have been an everyday occurrence in the past decade. The news media are filled with stories about the impact of security breaches on individual consumers, with some causing the compromise of millions of payment card numbers. The 2017 Equifax data breach compromised records of about half the population of the United States.
Nonetheless, data breaches aren’t always about hackers stealing information for identity theft purposes. Sometimes the goal of an attack is stealing trade secrets and confidential information. Perhaps the most frequent scenario we see in our practice is one or more employees stealing company data right before departing an employer and either starting their own competing business or taking the stolen data to an existing competitor.
Even worse is the economic and political espionage occurring every day in Silicon Valley. State-sponsored groups and non-state actors are trying to steal intellectual property developed by California companies to aid competitive companies, terrorist or organized crime groups, or foreign governments for profit, competitive purposes, or as a short cut to development. Attacks by hacktivists and terrorist groups aim to damage and disrupt US businesses.
Data breaches and espionage cost Silicon Valley, California, and the United States enormous sums in response costs, legal fees, opportunity costs, and lost sales to domestic and foreign competitors. For larger breaches, companies have to set aside tens of millions of dollars in reserves to pay for just the out of pocket expenses. Companies sustaining data breaches also take a hit to their reputations, driving away customers and resulting in lost profits and lowered stock values.
In response to data breaches and earlier concerns, the federal government and states like California have enacted various laws to protect individuals from data security breaches. Moreover, federal espionage and trade secret laws seek to deter thefts of data from businesses. Companies handling personal data may have obligations under international, foreign, federal, state, and local laws to protect the security of personal information and to report any personal data breaches. Examples include:
- California’s breach notification law, which requires reporting compromises of some categories of personal information to affected individuals and the Attorney General’s office.
- A later California requires reasonable security measures for these categories of personal information to prevent breaches from occurring in the first place.
- The California Consumer Protection Act (CCPA) is mostly about privacy, but in the event of a data breach affecting these categories of personal information, consumers can sue companies losing control of personal information to recover a set amount per consumer per incident – even if those consumers can’t prove present actually injury. Those amounts range from $100 to $750, but multiplied over hundreds, thousands, or millions of affected consumers, the potential damages can be enormous.
- The Gramm-Leach-Bliley Act (GLBA) and its regulations, which apply to financial service providers.
- The Health Insurance Portability and Accountability Act (HIPAA) and its security regulations, which apply to healthcare providers, health insurers, and healthcare clearinghouses, along with their “business associate” vendors. (SVLG Shareholder Stephen Wu is the author of an American Bar Association book on HIPAA security compliance.)
- The European Union’s General Data Protection (GDPR), which applies to many US-based businesses, which imposes both privacy and data security requirements on companies processing personal data.
- California’s connected device law requires manufacturers of Internet-connected devices, such as those used for Internet of Things applications, to have a reasonable security feature.
Companies processing personal information face compliance challenges to make sure they meet the requirements of these laws. In addition to these compliance challenges, companies face additional data security challenges such as these:
- Companies or holding trade secrets, confidential information, and intellectual property generally need to maintain the security of their information to make sure they don’t lose its value. For instance, once trade secrets are exposed and their secrecy is lost, they no longer qualify as trade secrets and their value as providing a competitive advantage is destroyed.
- Data security exhibits and addendums are frequently made part of larger agreements. Many vendors of products and services, when they try to sell their products or services, their customers demand that they agree to a set of security controls when processing personal information.
- Companies seeking to enforce trade secret misappropriation claims against former employees or competitors must defend their information security practices to show that they took reasonable care to protect their trade secrets. On the other hand, when our firm represents trade secret defendants, we can cast doubt on plaintiffs’ protection of their supposed trade secrets.
- Companies may have disputes about the effectiveness of security controls following a breach or after the discovery of vulnerabilities. Vendors of products and services involving personal data may claim their products are secure, while purchasers may claim they are not.
- When data breaches occur, affected companies may face a crisis. They must attempt to respond to the breach and report it as required by law in a short time, while at the same time managing their legal risks for failing to prevent the breach.
- Companies creating security programs to prevent breaches and manage security functions need policies, procedures, technical standards, guidelines, and training materials. Security professionals writing these documents may or may not be aware of legal compliance obligations when they write those documents, and may not word them in ways to mitigate legal risk.
- Companies need proper documentation in place with employees, independent contractors, and other workers to make sure that company data is protected.
Our law firm helps companies with all of these challenges. Our lawyers assist our clients to comply with security requirements in international, federal, state, and local laws. SVLG attorneys help protect companies’ intellectual property from theft. They draft and negotiate security exhibits and data processing addendums and agreements that are part of larger agreements. We advocate for our clients when they encounter security-related disputes. Our attorneys help clients respond to data breaches and provide appropriate notifications. Finally, we help clients create security programs to manage the risk of security breaches.
For a more thorough discussion of our data security services, see our information security guide in the Resources section of our website. Our security practice is an outgrowth of Shareholder Stephen Wu’s over twenty years of experience in the data security field. From 1997 to 2001, he worked as the second in-house lawyer at information security giant VeriSign, drafting sophisticated security policies and procedures for its public key infrastructure (PKI) business line for providing customers digital certificates used for Secure Sockets Layer authentication, digital signatures, and confidentiality encryption. Steve is one of a handful of lawyers in the United States with in-depth knowledge of PKI legal issues and continues to provide legal advice about PKI, digital certificate management, and PKI liability. He is the author or co-author of seven books on data security and served as the Co-Chair of the Information Security Committee in the American Bar Association Science & Technology Law Section from 2001 to 2004. He served as chair of the Section from 2010 to 2011, and has helped start Section committees to cover areas such as Homeland Security, Big Data, Internet of Things, and Artificial Intelligence and Robotics.
If your company has had a data breach or is trying to set up a security program to comply with security laws or customer requirements, we would be happy to have an initial consultation with you to go over your security needs and challenges. If you would like to make an appointment for an initial consultation, please contact us using the web form on the right or the phone number at the top of this page. Our firm seeks to solve data security legal problems. We would be glad to speak with you on an initial consultation about what our firm can offer to solve your problems, without obligation. Videoconference appointments are available.