NEW YORK, April 12 – LAWFUEL – The Law News Network — Today’s announcement of a massive theft of personal data from the LexisNexis computer systems, and other similar recent announcements, may suggest that computer security breaches are on the rise. But in reality, it is new data privacy laws in California that have
begun forcing companies to disclose and respond to breaches that previously
would have not been made public, says a noted privacy lawyer with White &
Case.
“While this latest news and other recently announced breaches involving
established, reputable companies have captured growing attention, there’s no
evidence that the overall number of security breaches is on the rise. Rather
the increasing crescendo of security breach disclosures is a consequence of
the California statute requiring database owners to notify California
residents, essentially one out of every eight Americans, of breaches involving
their data,” said White & Case privacy and intellectual property lawyer David
Bender, author of the four-volume Computer Law: Software Protection and
Litigation. “The era characterized by the industry’s ‘dirty little secret’ —
that only a tiny percentage of breaches are ever disclosed — is over.”
Bender added that while the enhanced disclosure requirements may perhaps
shine an unwelcome spotlight on the disclosing companies and the problem of
data theft in general, the statute actually fits in well with the way
businesses operate in the United States.
“The statute does not create a heavy bureaucracy or set forth a long list
of detailed rules. Instead it invokes Adam Smith’s ‘invisible hand’ and works
by indirection. Most of all, it makes it in the company’s interest to tend
adequately to security,” said Bender.
Moreover, the California statute, and the subsequent disclosures on the
part of companies, is prompting the federal government to begin moving in a
similar direction.
“Currently, the US lacks a comprehensive national law regarding data
privacy, though numerous privacy bills are pending before Congress. However,
while we anticipate that some sort of federal legislation will be enacted, it
remains to be seen what the final form will be,” said Bender.
The latest news concerning a security breach of personal data came just as
Bender and several of his White & Case colleagues were addressing a group of
privacy officers and other business executives at White & Case’s Fifth Annual
Global Privacy Symposium in New York and London.
At the symposium, Bender said many security breaches involve the theft of
highly sensitive personal identification such as names, addresses, social
security numbers, driver’s license numbers and credit reports. The hackers
who break into computer systems and take information often use it to raid
consumer bank accounts, obtain false passports and driver’s licenses and
generally “assume” the victim’s identity. In one case, a major US bank
reported that data on some 1.2 million federal employees — including some US
Senators — was stolen apparently from back-up tapes being shipped to storage.
Current government estimates say identify theft costs US consumers and
businesses $50 billion annually, and that doesn’t include the costs of
security breaches and any subsequent litigation that may arise.
“Public companies that experience a privacy breach also need to consider
the disclosure implications under federal securities laws,” said Bender.
“Failure to disclose a privacy breach while trading in company stock could
trigger liability and even spark an investigation by the SEC.”
In the meantime, Bender recommends that the best way for companies to
protect themselves from liability is to familiarize themselves with current
data privacy laws in the United States, the European Union and other
jurisdictions in which they do business to ensure compliance with those laws,
and work closely with security experts to explore more effective ways to
restrict break-ins.
White & Case’s privacy lawyers counsel clients on all aspects of privacy
law, including cross-border data transfer, compliance with laws in various
jurisdictions, privacy policies, the right to monitor employee electronic
communications and specific procedures that may be helpful in avoiding
privacy-related litigation. The Firm’s privacy practice pioneered a
proprietary methodology for conducting privacy data protection audits, which
identifies and analyzes in detail, the client’s collection, use, disclosure,
and cross-border transfer of personal information, and provides advice as to
necessary modifications to the company’s policies and practices.
About White & Case
White & Case LLP is a leading global law firm with 1900 lawyers practicing
in 38 offices in 25 countries. Global Counsel consistently ranks White & Case
among the top global law firms. For the latest materials from the White &
Case Global Privacy Symposium, visit http://www.whitecase.com/privacy
Web Site: http://www.whitecase.com/privacy
