Your Business Could Be Liable for Cyber Security Breaches

Posted in Business & Corporate, Cyber Law

Cyber security has become a growing concern for individuals and businesses across the nation. Undoubtedly, you’ve heard about breaches at Target, Wal-Mart, J.P. Morgan Chase, Home Depot, Apple, and Neiman Marcus. Hundreds of thousands of people had their names, social security numbers, financial information, and other sensitive data stolen and used unlawfully.

Theft of consumer information via the internet happens every day from any number of data or network systems to all types of people. It’s not just individuals or big box stores that are targeted. Cyber-attacks are directed at various organizations that keep clients’ and customers’ personal information on record. Hackers will look to small businesses, and even to a person’s home management company or homeowners’ association, to access their sensitive personal and financial information.

Pennsylvania and New Jersey have enacted laws to help protect consumers when businesses are targeted and data breaches occur. Pennsylvania’s Breach of Personal Information Act (“BPIA”) applies to any entity that maintains, stores, or manages computerized data that includes personal information, and this also includes certain non-Pennsylvania businesses. When an entity’s data is breached, and personal information is stolen or is reasonably believed that the information was accessed and obtained by an unauthorized individual, the business is required to provide its client or customer with notice of the breach.

Certain types of notice are required to be given without unreasonable delay. Failure to provide notice under the BPIA can lead to civil liability for the business. Pennsylvania has also enacted the Privacy of Social Security Numbers Act (“PSSNA”), which prohibits the dissemination of an individual’s social security number by, among other things, publicly posting or printing on an access card. A violation of the PSSNA can lead to civil fines and criminal penalties.

In New Jersey, individuals are protected by the Identity Theft Law and the Identity Theft Prevention Act. Under these laws, a business is required to destroy records containing personal information that it is no longer supposed to retain. Various types of entities, including sole proprietorships, partnerships, and corporations, are subject to the laws. A data breach triggers the business’ requirement to notify the police, and possibly the consumer. The laws provide for different methods to be used to alert consumers that their information has been compromised; such as, notice via electronic mail or on the company’s website.

As in Pennsylvania, businesses are prohibited from publishing an individual’s social security number publicly or requiring transmission of a social security number via the internet, unless an exception applies. Violations of the act can lead to civil penalties of up to $5,000.00.

Any entity that keeps sensitive personal information should maintain protocols to keep client and customer information safe. Otherwise, it could find itself defending a civil lawsuit or criminal charges that have been brought against it.