Data Breach 101: Is Your Nebraska Business Prepared?
In the digital age, it is the nightmare scenario for any business: the dreaded data breach. Every other week, it seems as though another high-profile company has fallen victim to cyber criminals and must issue a sweeping disclosure notifying customers and clients that their personal data may be at risk for improper use. Major events like the Target and Equifax data breaches have garnered significant news coverage due to the volume of data compromised and ensuing consumer litigation. However, statistics show that over seventy-five percent of all cyberattacks are carried out against small to mid-sized businesses, and those companies similarly face breach notification requirements if customer data is compromised. What is even more shocking is the number one cause of business data breaches: employee error. Against that backdrop, it is critical for employers to know the risks that they face and what may be required of their company in the event of a data breach.
Although Congress has proposed multiple different cybersecurity laws in recent years, few bills have actually been passed. Because of that, the current legal landscape in the cyber arena is a veritable "patchwork quilt" of laws, with specific requirements that vary from state to state. In Nebraska, data breach events are covered by the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, Neb. Rev. Stat. § 87-801, et seq. (the "Data Breach Act"). Under the Data Breach Act, any company that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a Nebraska resident must conduct a reasonable and prompt investigation when it becomes aware of any breach of the security of its system. Providing notice is not automatic after a breach; the Data Breach Act says that a company only has to provide notice if it reasonably determines that information has been compromised and is likely to be used for an unauthorized purpose. Where notice is required, it must be given to all affected Nebraska residents, as well as Nebraska’s Attorney General. Notice may be delayed if a law enforcement agency determines that the notice could impede a criminal investigation into the matter.
Even if a hacker gains access to your company’s computer system, some events may not trigger notification requirements. For example, a "breach of the security of the system" means "the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity." Neb. Rev. Stat. § 87-802. In simple terms, even if a hacker gets access to your data, there is no reporting obligation if the data is scrambled such that it is effectively useless without some sort of key for them to unscramble what they are looking at. However, the Nebraska legislature amended the Data Breach Act in 2016 to make it clear that companies still have to provide notice where encrypted data is breached if it is believed that the hacker also could have obtained the decryption key.
Similar to the above example, notification is only required if "personal information" about a Nebraska resident is subject to unauthorized disclosure. "Personal information" includes a Nebraska resident’s first name or first initial and last name in combination with any one or more of the following: social security number; driver’s license or state identification card number; account, credit, or debit card number combined with any required security code, access code, or password that would permit access to the financial account; unique electronic identification number or routing code in combination with any required security code, access code, or password; unique biometric data such as fingerprint, voice print, or retina or iris image; or username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
At first blush, the notice requirement of the Data Breach Act seems simple enough: where an unauthorized breach occurs, a company must provide notice to the affected Nebraska resident as soon as possible. Unfortunately for most companies, the devil is in the details. A typical breach event will involve the compromise of data for hundreds, if not thousands, of individuals. If the class of affected Nebraska residents can be positively identified, notice can be provided by letter, telephone, or electronic means. However, if the company does not have sufficient contact information to provide individualized notice, or if doing so would either cost more than $75,000 or the affected class includes more than 100,000 Nebraska residents, substitute notice must be given. Substitute notice requires taking all of the following actions:
- Sending e-mails to all affected individuals or entities to the extent the company has e-mail contact information;
- Placing a conspicuous posting on the company’s website regarding the breach; AND
- Providing notice to major statewide media outlets for publication. [1]
Given those requirements, any data breach event affecting Nebraska residents will almost certainly result in significant time and effort that must be expended by a company to comply with legal obligations. Those efforts will be in addition to costs associated with internal remediation of the breach and public relations fall-out from the event. Further, the Data Breach Act only covers compliance obligations related to compromised data involving Nebraska residents. For multi-state employers that collect and store data about individuals in various states across the country, a breach event will likely trigger compliance obligations under the laws of multiple states. In addition, companies that do business internationally and collect information from either employees or customers abroad may be subject to strict requirements for protecting that data and stiff penalties in the event of a breach.
In light of the high cost to a company in terms of time, reputation, and compliance efforts associated with a data breach, what can companies do to avoid a catastrophic breach event? A good first step is ensuring that your business has appropriate technical safeguards to protect sensitive data that you maintain. This will include things such as maintaining a firewall for your computer system and making sure that anti-virus and other protective software is kept up to date. Keeping separate back-ups of important data is another good practice in order to allow you to reboot and continue operating should a hacker lock you out of your system or delete necessary files. It is additionally recommended to secure any devices that contain company information. Things like laptops, tablets, and smart phones should be password protected and the company should have the ability to remotely wipe a device in the event that it is lost or stolen.
By far and away, however, the biggest cyber threat facing an organization is employee error. Whether it is a targeted phishing scheme meant to trick a key employee or a simple link or attachment containing infectious malware, studies show that employee mistakes are the most common cause leading to data breach events. Conducting regular training to improve overall awareness and the ability of employees to identify cyber threats may be the easiest way for companies to help mitigate potential issues. Similarly, ensuring that employees regularly change their systems access passwords and segmenting who has access to particular types of data will help limit what a hacker can do if they happen to gain access to your system. Lastly, having a robust data breach response plan and making sure that key employees know their individual responsibilities in the hours and days following a breach event will ensure that your company is well-positioned to weather the cyberattack storm.
In an increasingly technology-driven world, cyber and data-related issues will only become more prevalent for businesses across the United States. The attorneys of Koley Jessen’s Employment, Labor and Benefits practice group are here to help prepare your workforce to be ready to meet these issues head on. For additional assistance in creating a plan to help mitigate cyber risk, or to respond to a breach event, the attorneys of Koley Jessen’s interdisciplinary Data Privacy and Security team are also ready to assist your team today.
[1] Certain substitute notice requirements under the Data Breach Act are different for companies with 10 or fewer employees who can demonstrate that the cost of providing notice will exceed $10,000.