CSG Law Alert: More Proactive Attorney Generals May Mean More Fines for Companies that Do Not Have a Security Program
For those businesses located in the State of New Jersey, the state does not (yet) have proactive legislation in place requiring businesses to take “reasonable” measures to protect personal information of residents. However, if you have customers and/or personnel from outside the State, you may already be subject to the proactive legislation requirements of other jurisdictions.
Last year, we shared information regarding the New York SHIELD Act, which now requires any business that receives, collects, stores, processes and otherwise manages personal information regarding New York residents to take proactive, reasonable measures to secure that information. If a business fails to take such measures, and the data at issue is subsequently breached, the company can face harsh fines. Moreover, if the same company had posted on its website that it took reasonable measures to secure customers’ data, but failed to meet the standards of the NY SHIELD Act, this could also be charged federally as a violation of the Federal Trade Commission Act as a deceptive trade practice. Remember also that under the NY SHIELD Act, the mere access (without exfiltration, alteration or removal) of personal information is a reportable breach if that data is not encrypted.
Now, Massachusetts’ Attorney General has indicated that it, too, will be pursuing companies that fail to comply with Massachusetts’ law (which has been in effect since 2010). This law requires businesses that collect, store, process and otherwise manage personal information regarding Massachusetts residents to have a WISP or written information security program. Of course, having a program that is followed in the exception does not equate to compliance.
At present, only the California legislature has given individuals a statutory private cause of action if a business fails to take “reasonable” measures to protect residents’ personal information and that information is then compromised. As seen in the Dittman case in Pennsylvania, however, courts have found that a cyber breach is a “foreseeable” risk, and even absent proactive legislation impacting your business, if you have not taken measures to prevent this foreseeable risk, you can be held liable when the “if” becomes when and that data is breached.
Being proactive may not prevent a breach, but it will help to protect your business from fines and private litigation.
Please contact your attorney when you are ready to take this important step to protect information regarding your business, its employees and customers.