Last year, a Chicago-based medical records company called Allscripts was the victim of a malware attack. Hackers were able to break into the company’s computer systems and encrypt files, making it impossible to read the patient records stored on the company’s systems. The hackers demanded payment in bitcoin to release the files.
Allscripts decided not to pay the ransom and, while their IT team worked to restore records from their backup system, about 1,500 clients were unable to access files. Even though the company was able to restore the records, one of the affected clients, Surfside Non-Surgical Orthopedics in Boynton Beach, sued Allscripts in federal court. Surfside accused Allscripts of not doing enough to prevent the attack or lessen its impact and sued on behalf of all affected clients for “significant business interruption and disruption and lost revenues.”
Do The Right Thing, Still Get Sued?
Unfortunately, such lawsuits aren’t uncommon. There are many new hacker techniques to watch for and, when a cybercriminal breaches a company’s IT systems and steals customer data, the legal ramifications can be felt for a very long time. Civil liability following a cyberattack can include monetary compensation for economic losses incurred by your clients and customers. The National Cyber Security Alliance found:
- Almost 50% of small businesses have experienced a cyber-attack
- More than 70% of attacks target small businesses
- As many as 60% of hacked small and medium-sized companies go out of business after 6 months
The good news is that there are legal protections for companies that are the victim of cybercrime. In fact, at least one state, Ohio, created a safe harbor law to protect companies from civil litigation if they can show that confidential customer information was stolen despite their best efforts to protect it.
Here is a summary of state data protection and data breach laws in our home bases of Ohio, Wisconsin, Illinois and Indiana:
The Ohio Data Protection Act
The Ohio Data Protection Act went into effect in early 2019 and encourages businesses to put cybersecurity technology and policies in place by providing safe harbor protections. In other words, the law provides a legal defense if a business can show that it implemented reasonable information policies and security controls to protect customer data. Under the law, damages cannot be imposed if a state court finds your company had a reasonable cybersecurity plan when a breach occurred and followed it to the best of your ability. Or, as the legislation puts it, the law is “an incentive to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”
California and Colorado have similar laws but impose punitive measures if a business fails to put reasonable controls in place. Ohio is the first such law to reward a company or organization for taking steps to protect customer data. The obvious question is, what constitutes a reasonable and enforceable cybersecurity policy? The law provides several well-known and established best practice guidelines, beginning with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Wisconsin Data Protection and Privacy Laws
If a business that operates in Wisconsin experiences a data breach, it must notify the individuals whose personal information was accessed no later than 45 days following the date of discovery (unless the breach did not create a material risk of identify fraud). Financial institutions, medical businesses and tax preparation businesses — or anyone under contract with such businesses — must erase or make such personal information unreadable before disposing of it. Individuals may sue businesses for damages resulting from the leak of personal information including medical records, bank accounts and tax returns. Businesses may be fined up to $1,000 per violation.
Illinois Data Protection and Privacy Laws
In Illinois, the Personal Information Protection Act encourages businesses to encrypt or redact personal information stored on their computers. Under the Act, businesses are required to “implement and maintain reasonable security measures” to protect personal information from being breached. However, there have not been any cases interpreting what that standard really means.
Illinois is one of a handful of states that put privacy rules in place for biometric information. The Biometric Information Privacy Act requires businesses to protect biometric information in the same manner as it would for confidential and sensitive information. The Illinois Consumer Fraud and Deceptive Business Practices Act allows for civil penalties of up to $60,000 in the event of a breach or leak of any private data.
Indiana Data Protection and Privacy Laws
Businesses in Indiana are required to implement and maintain reasonable procedures to protect personal information from unlawful use or disclosure. An intentional violation could result in a civil penalty of up to $5,000 per violation. In the event of a data breach, Indiana requires businesses that own or license personal information to notify individuals when their unencrypted personal information has, or may have been, accessed as a result of the data breach.
Federal Data Privacy Law
The United States does not have one comprehensive law regulating the protection of personal information. However, many industries are subject to specific data protection regulations, such as the Financial Modernization Act of 1999 (The Gramm-Leach-Bliley Act), which requires financial institutions to protect the confidentiality of its customers’ personal information. Financial institutions must put in safeguards to protect against data breaches and anticipated threats or hazards to the security of customer information.
In addition, the Federal Trade Commission Act prohibits unfair or deceptive practices in the marketplace. The FTC can take enforcement actions against companies that fail to comply with their own privacy policies and for the unauthorized disclosure of personal data, often resulting in multi-million-dollar fines.
If your business is hacked, the loss of revenue and harm to your reputation may be just the beginning of your troubles. Following an embarrassing and public cybersecurity breach, healthcare giant Anthem was penalized for $16 million, Yahoo settled with regulators for $117.5 million, and Voya Financial Advisors paid $1 million after customer data was stolen.
The good news is that a detailed cybersecurity policy and up-to-date IT protocols can not only protect you from an attack, but from potential civil legal liability as well. Not sure how your data security rates? Take our online risk assessment below to see where vulnerabilities may lie. Then, contact the Managed IT experts at Gordon Flesch Company about our advanced cybersecurity services. It could be the difference between surviving a cyberattack or losing everything in a protracted, costly litigation.