Much has been written about breach notification laws such as California's Security Breach Information Act. These laws encourage companies to encrypt the personal information in their possession. They generally do so by requiring that companies notify individuals whose information has been lost or stolen if such information was not encrypted at the time of loss. Because of the significant cost and reputational damage associated with these breach notifications, a number of companies have chosen to encrypt personal information.
Many companies, however, appear unconvinced as evidenced by the fact that we hear of new breach notifications nearly every day. Perhaps the mere threat of providing breach notifications is insufficient as companies weigh the risk against the perceived cost. Perhaps they remain wed to the cliché that “information is an asset.” While this is undoubtedly true, corporate officers should also realize that information increases the risk profile of a company.
But is there really the potential for liability in addition to the requirements under the existing breach notification laws (some of which already provide for civil remedies)? A jury can find liability where the following elements exist: 1) Duty; 2) Breach; 3) Cause; and 4) Harm. It is easy enough to imagine a scenario where a data loss (element 2) causes harm (elements 3 and 4). But what about element 1—is there a general duty to encrypt information or otherwise assure that it is never compromised?
It is doubtful that a broad duty to encrypt information exists. For example, it seems overly broad to apply liability with respect to personal data on home computers that are stolen. Corporate computers, however, may be different because of the applicability of breach notification laws. These breach notification laws may give rise to a negligence per se argument—essentially that the law imposes a certain duty, or standard of care, the breach of which may lead to liability. Under these circumstances, liability may be imposed on corporations even in the absence of a statutory remedy.
Even if ultimately unsuccessful, this type of litigation is costly—both in terms of litigation expense and in reputational damage. For these reasons, it is easy to come to the conclusion that information is a liability and that the encryption of information is a fundamental component of following best practices in corporate risk management.
No comments:
Post a Comment