Page 106 - Cyber Warnings
P. 106
orders with companies for failing to maintain reasonable data security practices or for
misrepresenting data security practices. Prior to this year, state attorneys general limited their
activity in the cybersecurity space to bringing actions against companies that had suffered a
data breach. The settlements of those actions often resulted in large fines and comprehensive
requirements for implementing a more secure information security program. As of last month,
however, states have ventured into new territory. The New York Attorney General brought an
action against a wireless lock company, Safetech Products LLC. Safetech is a Utah-based
company selling its locks online via Amazon and its own retail website. Interestingly, Safetech
had not suffered a data breach; rather, security researchers reported that Safetech did not
encrypt user passwords in transmission between a user’s mobile device and the locks. Upon
hearing of the security researchers’ report, the New York Attorney General launched an
investigation. The investigation confirmed the security researchers’ report and determined that
Safetech also did not require users to change default passwords. Because these practices
could have potentially led to a data breach, the Attorney General alleged that Safetech had
failed to reasonably protect its customer’s information. Safetech and the Attorney General
entered into a comprehensive settlement agreement that requires Safetech to implement and
establish a comprehensive data security program with several parts. Particularly given the
oversight by the Attorney General, the security program may be onerous and expensive to
implement.
Now that the states have shown an increased interest in regulating, through legislation or an
enforcement action, the cybersecurity practices of companies, many companies will be faced
with complying with several states’ laws and requirements. In practice, companies may attempt
not to do business in states with restrictive cybersecurity laws or may apply the most restrictive
standard to the entire organization nationwide.
This of course assumes that none of the regulations will conflict, which, in an area as complex
and ever-changing as cybersecurity, is not a given. It may also lead to a compliance state,
where companies are focused on ensuring legal compliance, rather than on ensuring a robust
cybersecurity program, which comes from a healthy risk management process that includes
appropriate risk assessments. Given the high-profile nature and number of data breaches,
however, it is unlikely that states will engage in less legislation and enforcement, and the
patchwork of state laws will continue to grow.
About the Author:
Jami Mills Vibbert is a Counsel in Venable’s Privacy and Data Security practice
who advises and counsels clients on matters related to data security, data
protection, and data risk management. Jami is based in the firm’s New York
office. For more information, visit www.venable.com.
106 Cyber Warnings E-Magazine – June 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
