Commercial Litigation

When It Comes to Cybersecurity Litigation, An Ounce of Prevention is Worth a Pound of Cure

When It Comes to Cybersecurity Litigation, An Ounce of Prevention is Worth a Pound of Cure

Published by the Daily Business Review on Feburary 14, Jacey Kaps and Steve Berlin write about data breach prevention and legal obligations following a data breach.

Amazon revealed that it inadvertently exposed names and email addresses of some of its members due to a technical issue. Kaps and Berlin look at this issue to offer tips and suggestions for what Florida companies can learn from it. 

“The Florida Information Privacy Act requires covered entities to ‘take reasonable measures to protect and secure data in electronic form containing personal information,’” Kaps and Berlin write in the article. “In other words, the first requirement is to stop potential data compromise and then determine what happened and what, if any, data was compromised to ascertain if the business must prepare a data breach notification.”

Kaps and Berlin stress that organizations should act quickly. “In Florida, data breach notification must occur within 30 days,” they state. “However, if any customers are members of the European Union, then the EU’s General Data Protection Regulation (GDPR) may apply, meaning that the company must notify particular authorities within 72 hours from the time it learns of a personal data breach.”

Among the potential threats and prevention tips outlined in the article, Kaps and Berlin advise companies to take proactive steps.  "Not only can early planning reduce the likelihood of a breach, it also demonstrates due diligence if an organization is compromised by a sophisticated threat actor."

Kaps and Berlin also warn companies of vendor agreements that fail to spell out data ownership and protection responsibilities. “An organization can make internal cybersecurity protocols and have well-trained employees, but third parties may place its data at risk,” they state “Organizations should ensure agreements delineate the data being transferred, who owns the rights to the data and cybersecurity data protection protocols.”

For the full article, subscribers to the Daily Business Review may click here.