CYBERSECURITY – BUSINESS COMPLIANCE & RESEARCH METHODOLOGY

Cybersecurity Legal Research & Strategy

August 1, 2024 David Grippe

University of Pennsylvania – LAWM5360

Table of Contents

1. Introduction

2. What I Already Know

3. Research Strategy

   • First Step (What are my questions?)

   • Second Step (Finding useful secondary sources)

   • Third Step (Finding useful primary sources)

   • Fourth Step (Formalizing & Drawing Conclusions)

4. Feedback From Midterm

5. My Research

6. Secondary Sources & Analysis

   • Treatises

   • Practice Guides

   • Journal & News Articles

   • Data Privacy Standard Documents

   • Restatements

   • American Law Reports

   • Law Reviews and Journals

   • Secondary Source Conclusion & Analysis

7. Primary Sources & Analysis

   • Federal Regulatory Sources

   • State Regulatory Sources

   • Statutory Law

   • Case Law

8. Formalizing & Drawing Conclusions

9. Final Thoughts

Introduction

When a business suffers a breach of information through cyber-attacks it can be a very costly and time-consuming issue. Usually, these kinds of issues will affect many people and may even become class action lawsuits. Companies who have been breached may experience a loss of confidence among their customers, employees, and suppliers.

I have been considering starting my own business and would like to know more about the laws, judicial precedent, and regulations that a company must follow to protect their data. I would especially like to focus on what types of data must be protected by law and if there are any laws and regulations on the ways in which a company must protect data.

I plan to focus mostly on Federal and Pennsylvania jurisdiction to start since that is where I will be starting my business. I may also consider expanding out that jurisdiction if I don’t find much in Pennsylvania. I also plan to pay special attention to laws regarding data that employers collect from employees and customers. My business will be a consulting firm that specializes in generating AI and engineering tools to help clients improve their productivity in engineering and manufacturing environments. There will be Intellectual property that my clients will want to protect. As a contractor, I would also like to make sure that I understand all of the legal requirements and relevant cases and judicial precedents surrounding this issue.

Regulatory Concerns:

There are various industries such as the nuclear industry that maintain secret and/or regulated information. It is the responsibility of these companies to follow the regulatory agencies that govern them. As a contractor who may work for these companies, I want to learn more about the rules and regulations that these agencies will require as it applies to data protection. The kinds of data and the way that it must be protected may vary by industry. I will focus on the nuclear industry since I have previously worked in this industry for the last few years. This may provide a good foundation because the data in the nuclear industry is very important to protect.

The Federal Trade Commission will be a good source as well because it is the federal agency that governs the data protection of consumers.

What I Already Know

I am going into this topic without much prior knowledge of what the law requires. I do know that companies have various safeguards to prevent cyber-attacks. Most companies will set up firewalls, VPNs, and various levels of administrative rights depending on who the employee is. I also know that they usually provide training to employees on how to prevent phishing attacks and how to protect your data. Most companies have software that helps to maintain data such as customers, employees, vendors, and manufacturing data. This software is usually password protected and data is restricted depending on job position and need. External emails are flagged and specific websites are restricted.

But I still have many important legal questions. What safeguards are required by law? What types of data are required to be protected? In the event of a breach of data, what are the best practices? How can a company limit their liability? All of these questions require legal research, but some answers will be found utilizing primary legal sources while other answers might be found best using secondary legal sources.

Research Strategy

First Step (What are my questions?):

My first step for this research project is to outline clearly my goals and legal questions that I want to answer (I expect to have more as I continue learning) …

1.      What cybersecurity laws are in my Jurisdiction?

2.      Who must be protected?

3.      What types of data must be protected?

4.      What measures should be taken to protect this data?

5.      What are the common industry standards for data protection?

6.      How to reduce liability regarding cybersecurity?

7.      What is the best practice after a company experiences a breach of data?

8.      How to maintain compliance in this rapidly changing field?

Second Step (Finding useful secondary sources):

For this research project I need to find some good secondary legal sources. I will start with practice resources in Westlaw Practical Law Company, or Bloomberg or Lexis Practice advisor. I will also look through articles, journals, treatises, and encyclopedias. I will be looking to see what the common legal issues are regarding cybersecurity. It will be more informal, easy to read, and may provide good primary sources as references.

I will see if I can find checklists or toolkits that may help to give me a better foundation of the legal concerns and the ways in which companies protect themselves. There might be some interesting viewpoints about AI and cybersecurity measures that haven’t been formalized into law yet.

For the issue I am researching, I am very interested in the practice guides and law reviews and journals because this is a topic that is likely in the current news.

Third Step (Finding useful primary sources):

I plan to use statutes, legal precedent, and administrative regulations as my primary legal sources. If I were to support an argument for litigation, I would identify previous cases that are binding, factually similar, and were decided in my favor to help support my arguments. However, for my research since I don’t have a case to argue for or against, I will review these cases for commonality and to help refer me to statutory laws that will be used for these types of cases. I want to read some opinions and determine how the statutes were used in these cases.

Fourth Step (Formalizing & Drawing Conclusions):

Once I have found the primary sources of law and understand the basics of the legal aspects, I will then start thinking about the ways in which the authors might coordinate their data security efforts. Then finally, I will answer what the legal requirements are for the state and federal jurisdictions. I can consider what the best practices are to follow these laws. I will then form my own opinion about how to protect my company and its employees and customers from liability and cyber threats.

My Research

As I start my research, I want to keep in mind the fundamental questions listed in the first step of my research strategy section. If I can answer these questions then I can feel confident in my capabilities to run a company that is secure and protected from lawsuits and hopefully data breaches. Now as I keep this list in mind I will turn to step 2 and try to find secondary sources that will help answer these questions and more.

Secondary Sources & Analysis: 

Treatises:

Performing my legal research on such a broad topic as cybersecurity and data privacy proved to be daunting at first. I thought it was best to start out looking through a legal treatise to get some education about the history of the topic and give myself a better foundation to organize my approach. I used Westlaw and searched through secondary sources and Privacy Law. This search led me to find my most useful source under Privacy Law Texts and Treatises. Data Security and Privacy Law Section 1:1 (2023 – 2024)

After reading through this treatise, I was able to understand why cybersecurity is so important. It provided me with some common terms and definitions that were helpful while reading about cybersecurity. Then I started diving into the foundational thoughts that will support the rest of my research.

I learned that there are three main categories of cyber-attacks. There are cyber attacks against governments, corporations, and the general public. Data Security and Privacy Law Section 1:1 (2023 – 2024)

After learning this, I was able to dive a little deeper into the theory to understand the many ways that hackers can penetrate computer networks and systems, and the various safeguards that companies typically put in place to prevent such attacks. § 1:3. Cyberattacks against businesses & § 5:1. Risk management generally. Each company may have slightly different or more strict concerns when it comes to data protection, so it is important to consider my own situation and act accordingly. § 5:1. Risk management generally (2023 – 2024)

Table 1 - Modes & Methods of Cyber Attacks

Although most companies will require slightly different strategies and integrate different policies for protecting data, in general they can all follow the following process.

The 4 components of risk-management process found below is referenced from § 5:2. Components of risk-management process  (2023 – 2024)

(1) Risk Framing; use National Institute of Standards and Technology

(2) Risk Assessment; Risk assessment

• The second step in the risk management process is risk assessment. Risk assessment requires a corporation to first determine the nature of unpredictable events and then identify and quantify the potential losses and liabilities associated with those risks. Potential liabilities can include a number of items, such as data and software loss, disclosure of confidential information, business interruption, penalties associated with violations of laws and regulations, and sanctions associated with noncompliance with industry best practices.

(3) Risk Response; and

• Exhibit 5-2: Four Common Strategies for Risk Response

(4) Risk Monitoring and Audit.

After gathering some important background information on cybersecurity, I thought it was important to search for secondary sources that can provide help gaining insight into how companies protect their data. I also wanted to know more about what types of data and what types of equipment they are protecting.

“Some of the most prominent examples of emerging risks in business computing are attributable to:” § 5:79. Five major sources of risk (2023 – 2024)

1. Mobile Devices & the Bring-Your-Own-Device (“BYOD”) workplace;

2. Cloud computing;

3. Social Media;

4. The “Internet of Things”; and

5. The Work from Home (“WFH”) workplace.

Although the treatises were helpful in finding a lot of supportive information, it was a bit weak on legal sources to refer back to. Practice guides were very helpful in providing some good primary and secondary legal sources for reference.

Practice Guides:

I was able to find Workplace Privacy Toolkit Page from Bloomberg. I thought that this page was extremely helpful in determining the various types of data to consider protecting and provided some very good resources like checklists, forms, articles, and relevant privacy laws.

As I searched through Westlaw secondary sources, I was able to find the following checklists that will provide a great starting point when designing a company privacy & safeguard policy. While searching for practice guides and checklists I noticed a few common areas of interest such as Data breaches, AI, Mobile devices, and Social Media privacy considerations. The following sources are self-explanatory in the titles, they were extremely helpful in learning, but there’s not much analysis other than to list them here.

Data Breach Response Checklist  – by Practical Law Data Privacy & Cybersecurity (National/Federal)

State Data Breach Notification Laws Table – Chart that shows Data Breach notification laws by State

Implementing Workplace AI Tools Checklist - by Adam S. Forman and Nathaniel M. Glasser, Epstein Becker Green, P.C., with Practical Law Labor & Employment; USA (National/Federal)

Mobile App Privacy Compliance Checklist - by Practical Law Data Privacy & Cybersecurity; USA (National/Federal)

Company Use of Social Media: Best Practices Checklist - by Practical Law Intellectual Property & Technology; USA (National/Federal)

Data Breach Notification Laws: Pennsylvania – Q&A guide that includes Statutes, Personal Information, Triggering Events, Notice requirements and more.

Cyber Incident and Data Breach Notification | Practical Law (westlaw.com)  provided great information about what a business must consider after a breach, such as who it must notify. Notification plan details below…

As a foundation for preparing a notification plan, a business must identify its legal obligations. This requires identifying:

• The types of data compromised.

• The affected individuals.

• The jurisdictions involved (usually the place of residency of the affected individuals).

• The state, federal, or international laws triggered by the data and jurisdictions involved.

• Whether there are any obligations to notify:

  • individuals;

  • third-party businesses (for example, if the business is a service provider);

  • regulatory agencies;

  • law enforcement; or

  • consumer reporting agencies.

• For public companies, the materiality of the data breach's or other cyber incident's impact on the business to assess whether filing a Securities and Exchange Commission (SEC) Form 8-K is warranted.

  
  

Journal & News Articles:

After finding some checklists, I thought it would be good to read about some recent news topics and articles that are related to data protection to see if there are any trends in discussion or if there is any advice on how companies should protect their data. I found a lot of topics that concerned AI, Biometric data, and data breaches. I thought that these articles reinforced most of what I learned while looking through the checklists, but it was good to confirm that I’m on the right track and not missing any major modes of entry for hackers to attack.

AI and the Role of the Board of Directors 08/01/2023 - by Holly J. Gregory, Sidley Austin LLP

Biometrics Litigation: An Evolving Landscape 04/02/2018 - by Michael P. Daly, Kathryn E. Deal, Seamus C. Duffy, Matthew J. Fedor, Michael W. McTigue Jr., and Meredith C. Slawe, Drinker Biddle & Reath LLP, with Practical Law Litigation

Expert Q&A: Data Breaches—Avoiding Common Mistakes in Data Breach Prevention and Response  05/25/2016 by Practical Law Intellectual Property & Technology USA (National/Federal)

The biggest data breach fines, penalties, and settlements so far | CSO Online – Article that provides a list of the largest class action data breach cases 4/26/2024  - This data breach Q&A was especially helpful in answering specific legal questions such as what to do in the event of a breach of data.

A couple important takeaways from Expert Q&A: Data Breaches—Avoiding Common Mistakes in Data Breach Prevention and Response source specifically was to answer the 3 questions below.

1. How to give notice to affected individuals in PA?

In Pennsylvania, the covered entity must provide notice to affected individuals in one of the following methods:

·In writing.

·By telephone, if:

·it is reasonably expected that the affected individuals will receive the notification;

·the notification is given in a clear and conspicuous manner;

·the notification describes the incident in general terms and verifies personal information but does not require the affected individuals to provide personal information; and

·the individual is provided with a telephone number to call or website to visit for further information.

·By email, if:

·a prior business relationship exists; and

·the covered entity has a valid email address for the affected individuals.

·By electronic notice, if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change their password and security question or answer, as applicable, or to take other steps appropriate to protect the person's online account to the extent the entity has sufficient contact information for the person.

·By substitute notice, under certain circumstances 

2. How quickly must the entity provide notice?

“A Pennsylvania entity must provide notice to affected residents without unreasonable delay, except as required to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system (73 P.S. § 2303(a)).”

3.What type of information is considered to be Protected Personal Information?

• Social Security Number

• Drivers License of state identification card number

• Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

• Medical information, defined as any individually identifiable information contained in an individual's current or historical medical history record or medical treatment or diagnosis created by a health care professional.

• Health insurance information, defined as an individual's health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual's health insurance benefits.

• A username or email address, in combination with a password or security question and answer that would permit access to an online account.

Data Privacy Standard Documents:

I also decided to search through lexis + and Westlaw for any standard documents that would be useful as tools to educate myself on cybersecurity and I found some very good tools such as PowerPoint presentations, Practice Notes, and videos. Finally, the last resource that I found was a workplace internal data security best practice resource kit. This kit was awesome, because it provided Practice Notes, Internal policy templates for businesses, and compliance checklists.

Cybersecurity Tech Basics: Safeguards: Presentation Materials - No Date – PowerPoint Presentation by Practical Law Data Privacy & Cybersecurity; USA (National/Federal)

Employee Privacy (Federal) 01/10/2024 – Lexis + Practice Notes

Video: Cybersecurity: Key Considerations for Employers 06/06/2024 – Lexis + Practice Notes

Workplace Internal Data Security Best Practices Resource Kit 11/17/2023 – Lexis + Practice Notes resource kit (This includes Practice Notes, internal policy templates, and compliance checklists!)

Cybersecurity Measures to Protect Employers' Confidential Information and Trade Secrets  02/29/2024 - Practice Notes

Restatements:

To find my restatements I searched In Westlaw – Search Secondary Sources – Restatements – Filter by topic data security and then search for cybersecurity. Overall, I did not find the restatements very helpful because they only provided more detailed definitions for policy definitions and scope. I already knew this, but it was good practice to look through to verify my knowledge of the topic.

Purpose and Scope of the Data Privacy Principles - Principles of the Law - Data Privacy § 1 (2020)

Data Security and Data Breach Notification - Principles of the Law - Data Privacy § 11 (2020)

Accountability - Principles of the Law - Data Privacy § 13 (2020)

American Law Reports:

I only was able to find two relevant law reports, but these were not the most helpful sources of information. They do provide a history of relevant cases and precedent on data privacy that will be helpful in finding primary sources.

a.      Liability of Employer for Breach of Data Security for Employee Information - 87 A.L.R.7th Art. 1 (Originally published in 2023)

b.      Employee's Expectation of Privacy in Workplace - 18 A.L.R.6th 1 (Originally published in 2006)

Law Reviews and Journals:

To find some good law reviews and journals I searched under Westlaw secondary sources, I filtered by topic data privacy and searched for the term “cybersecurity”. There was actually a lot of information to sift through here, and I was excited to read through the following documents. I was ultimately disappointed because these law reviews were wordy, but ultimately pointed me towards references I’d already seen. No new information was gathered here.

CYBERSECURITY FINALLY TAKES CENTER STAGE IN THE U.S. - Kayla Morency, Cybersecurity Finally Takes Center Stage in the U.S., 15 J. High Tech. L. 192 (2014). – Discussion of what cybersecurity is, and cybersecurity policies in the US. It also discusses congress’s role in cybersecurity, and successes and pitfalls of the cybersecurity framework. Overall, this was helpful to understand the threat that cybersecurity poses to society, but not very helpful to understand how to protect my business from litigation.

MANAGING CYBERTHREAT - Lawrence J. Trautman, Managing Cyberthreat, 33 Santa Clara High Tech. L.J. 230 (2017) – This is a very lengthy document; however, it doesn’t provide real information. I think it helps to emphasize the need to find the information and then points you to a reference that has it (such as a book).

Secondary Source Conclusion & Analysis:

My secondary sources gave me a great foundation of the history of cybersecurity and data protection. I learned about who hackers target, how hackers may attack, and ways a corporation may manage risk. I also learned about some of the best practices that business should follow after experiencing a cyber-attack. I found checklists, tool kits, templates and business resources to use that relate to data protection, risk management, and IT policies. I even found some great references within my sources that will help lead me to some relevant and foundational data privacy laws. These primary sources of law will help me to understand why businesses protect specific types of data, what data will need to be protected and safeguards that must be put in place. I hope to learn what a company is liable for and how to reduce risk.

Primary Sources & Analysis: 

After reviewing many secondary sources of law about cybersecurity and data protection I now turn my attention to finding some good primary sources of law. These primary sources of law will help me to keep my new company compliant and protected from litigation. I started my search with the regulatory agencies that are most involved in protecting data privacy. The reason I am starting with regulatory agencies is because I believe they will eventually refer me to relevant statutes and cases, but also these agencies have been referenced many times within my secondary sources.

Federal Regulatory Sources:

The Data Breach Response Checklist seemed to be the most helpful secondary source in referencing federal agencies that participate in protecting data. This is because it lists all of the agencies that must be notified in the event of a data breach. The federal agencies listed in this checklist are…

1. U.S. Department of Health and Human Services is enforcing HIPAA and HITECH compliance.

2. The Federal Trade Commission – Protection of Consumer data & privacy

3. The Federal Communications Commission – Maintaining records of Breaches & works with FBI & Law enforcement

4. The Securities and Exchange Commission – Disclosure of data breaches is required for publicly traded companies.

5. The Consumer Financial Protection Bureau (CFPB) – To disclose financial data breaches.

The Federal Trade Commission (FTC) was the only regulatory agency that fits into the scope of my research for data protection considerations when starting a new contracting business.

The FTC has been assigned with the tasks of protecting US citizens from scams and fraud such as telemarketing and protecting consumer information. They reference Title 15 of the United States Code - Section 6101- 6108. When searching the FTC Website for Statutes &  “privacy” I find the FAA Reauthorization Act of 2018, Children’s online privacy protection Act, Gramm-Leach-Biley Act, and Telemarketing and Consumer Fraud and Abuse Prevention Act. Each of these regulatory statutes refer to the federal code that allows the FTC to act and protect consumers data and privacy. The laws that allow the FTC to take up these cases are provided within Title 15 of the U.S.C. or Title 49 of the U.S.C.

§ 5:2. Components of risk-management process secondary source, led me to take a look at the National Institute of Standards and Technology (NIST) Cybersecurity | NIST. “NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.” Cybersecurity | NIST

NIST has published evaluations of software security, supply chain security guidance, and tools that help support compliance with best practices. Cybersecurity | NIST. NIST is a great resource to learn about best practices, but they do not enforce regulations of their own. They also referenced the Cybersecurity & Infrastructure Security Agency (CISA) Home Page | CISA.

“CISA is a component of the Department of homeland security and is responsible for cybersecurity protection”. is CISA a regulatory agency - Search (bing.com). Although they are responsible for homeland security they really only provide guidance, and seems as though they do not enforce any regulations of their own.

I then searched Google to see if there are any other regulatory agencies that I should consider. The Equal Employment Opportunity Commission (EEOC) has a privacy program and regulations that must be followed. The EEOC is empowered by Title 29 of the Code of Federal Regulations section 1611. Privacy | U.S. Equal Employment Opportunity Commission (eeoc.gov).

The federal regulations that will apply to me as a small business owner in the state of PA are few. The FTC is the major agency that will require by law that I protect the PERSONAL INFORMATION of my customers.

All of the other federal agencies only provide recommendations for best practices but refer to the state authorities on cybersecurity issues.

I also wanted to consider how the data is protected in the Nuclear Industry because I believe that type of protection the nuclear industry will need sets the highest standard for cybersecurity. Information Security | NRC.gov website provides information about classification of data, safeguards, and the relevant federal regulations such as 10 CFR 25 & 10 CFR 95. Cybersecurity | NRC.gov discusses 3 levels of cybersecurity with relation to nuclear topic. Protection of Digital Computer and Communication Systems , cybersecurity programs for nuclear power reactors , cybersecurity plan for nuclear power plants.

I have not found anything more unique or special about the NRC regulations based on what I’ve read. It seems like the standards being applied are more formalized versions of the same basic information on protecting data and cybersecurity. Perhaps there are more redundancies, and more frequently analyzed for potential risks.

State Regulatory Sources:

Cybersecurity | Governor's Office of Homeland Security | Commonwealth of Pennsylvania (pa.gov) – This is Pennsylvania’s Agency of Homeland Security website. It points you back up to the federal agencies discussed above, specifically the FTC and CISA. No new information was found here.

Statutory Law:

§ 1030. Fraud and related activity in connection with computers – Federal criminal law to prevent hacking

Title 18 - PA General Assembly (state.pa.us) – PA hacking and similar offenses statute

USCODE-2012-title5-partI-chap5-subchapII-sec552a.pdf (commerce.gov) – federal agencies must safeguard information. (does not apply to a private business in PA)

e-government-act-2002.pdf (commerce.gov) – Privacy of personal information in electronic records required by federal agencies. (does not apply to a private business in PA)

After a while searching for Pennsylvania data privacy laws, I don’t think there are any. I’m going to assume that if a company experiences a data breach they may be sued for negligence where the plaintiff will have to prove…

1. Duty of care

2. Breach

3. Causation

4. Damages

Or the plaintiff could sue for strict liability against the company for holding and maintaining their personal information. They will still need to prove damages and convince the judge or jury that this was a strict liability concern. An excellent example of employees seeking suit against previous employer for negligence is Savidge v. Pharm-Save, Inc.

Savidge v. Pharm-Save, Inc. 3/29/2024 “Two former employees sued employer in state court, alleging various claims including negligence arising from data security breach of employer, which occurred when cybercriminals posed as company executives and obtained employees’ personally identifiable information.”

Holdings: Motion for partial summary judgement denied. Motion for class certification granted.

Pennsylvania Updates State Data Breach Notification Law | Eckert Seamans

While searching through my secondary sources I did come across the California consumer privacy act (CCPA). So, if there was diversity between the plaintiff and the defendant and there was an option to sue in federal court in California, the plaintiff could use this law.  https://oag.ca.gov/privacy/ccpa

According to New State Data Privacy Laws in 2024 “There are now 15 states with comprehensive data privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, New Hampshire, Oregon, Tennessee, Texas, Utah, and Virginia. Though currently only California's data privacy law is applicable to employee personnel data”

NOTE: New State Data Privacy Laws in 2024 2/29/2024. (*Not a Primary source, but I just thought this ties in nicely to support this section.)

Case Law:

If I was a litigator and had to research legal precedent for my case, I would identify previous cases that are binding, factually similar, and were decided in my favor to help support my arguments. For this paper however, there is no lawsuit. I am merely trying to find cases that will help me determine how some of the rulings on data privacy breaches have gone in the past. This research will help me establish a good idea for common litigation tactics, judges’ opinions and the main statutes that are being argued in court. To start searching for cases, I first used Google to find some of the most high-profile data breach cases. The biggest data breach fines, penalties, and settlements so far | CSO Online (This is a source that is also found in my secondary sources section).

In re Equifax, Inc., Customer Data Security Breach 6/3/2021 – Customers brought a class action against Equifax for breach of data privacy. Class action settlement was approved.

Facebook, Inc., In the Matter of Facebook (7/19/2024 last updated) – FTC alleges that Facebook violated its privacy policy to consumers. I believe this case is still ongoing.

In re Capital One Consumer Data Security Breach Litigation 9/13/2022 – Capital One experienced a data breach on July 29, 2019. A class action lawsuit was filed against both Capital One and Amazon. The court said that Capital One had a “duty of care” under the Tort laws and ultimately concluded they were negligent.

In re Google Assistant Privacy Litigation 7/01/2021 – This is a class action lawsuit against Google alleging that the company “unlawfully intercepted, recorded, disclosed, and used private conversations of thousands of users.” They violated the Federal Wiretap Act, Federal Stored Communications Act (SCA), California Invasion of Privacy Act (CIPA). Ultimately Google filed a motion to dismiss, and it was granted in part and denied in part. The only formal complaint that was held up in court for the plaintiff’s was the claim of violation of the Federal Wiretap Act.

In re Google Inc. Cookie Placement Consumer Privacy Litigation 11/12/2015 – “Internet users brought actions against internet advertising providers, alleging that providers placed tracking cookies on users' browsers in contravention of browsers' cookie blockers, and asserting claims for violation of the federal Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFFA), and for privacy claims and various statutory violations under California law.” Ultimately, the plaintiff’s claims did not hold up in court except partially for the claim of violation of the Wiretap Act.

These cases were all very helpful in learning about how privacy violations can be litigated. I learned about what company behaviors may lead to lawsuits and what statutes were used to rule on these claims. I also learned the claims that are more likely to be held up in court.

Formalizing & Drawing Conclusions

After reviewing secondary and primary sources on cybersecurity and data privacy I believe I have achieved my goals. The secondary sources I have looked through have helped me to define cybersecurity, hacking, and data breaches. They have helped me to learn about best practices, potential threats, typical safeguards, and the federal and state laws and regulations. The primary sources of information have helped me to review real life examples of lawsuits, understand who to contact after a data breach and why. The primary sources solidify my research and helped me to finally answer the questions about what a company needs to consider about cybersecurity and the state and federal laws that must be followed in the event of a breach.

 I can now answer the following questions about what a small privately owned business in Pennsylvania needs to do in order to mitigate litigation. I can also utilize best practices to safeguard against cyber-attacks and understand clearly who and what needs to be protected under the law.

1. What cybersecurity laws are in my Jurisdiction?

   1. Consumers data are protected by the FTC & depending on the type of data may also be protected by other financial and health care agencies.

   2. In the event of a data breach of standard personal information employees and suppliers will usually file claims of negligence.

   3. For information collected by the company besides standard personal information, there may be claims for violation of Wiretap Act among other things.

2. Who must be protected?

   1. Consumers, suppliers, employees, this includes (ex-customers, ex-suppliers, and ex-employees)

3. What types of data must be protected?

   1. Personal Information

      1. Social Security Number

      2. Personal Identification Number or Driver’s license Number

      3. Address

      4. Telephone Number

      5. Email Address

      6. Medical Information

      7. Insurance Information

      8. Account Information

      9. Financial Information

4. What measures should be taken to protect this data?

   1. Take a look at the modes & methods of cyber-attacks in Table 1.

   2. Use the 4-Components of Risk Management (pg. 5)

      1. Framing

      2. Assessment

      3. Response

      4. Monitoring

      5. Audit

   3. Assessing your risks 4-Common Strategies for Risk Response (pg. 6)

      1. Avoid

      2. Mitigate

      3. Accept

      4. Transfer

   4. Understanding the major sources of risk in your business

      1. Mobile Devices

      2. Cloud Computing

      3. Social Media

      4. Internet of Things

      5. Work From Home

      6. Data Collection & Transfer Points

   5. Ranking high risk to low-risk data types and having a data protection plan

   6. Using checklists, and generating a plan in case of data breach

5. What are the common industry standards for data protection?

   1. NIST & CISA have formalized standards that regulatory agencies must follow. These standards are recommended for all companies, but not required by law for small privately owned companies.

6. How to reduce liability regarding cybersecurity?

   1. To reduce liability a company should follow the NIST standards, create internal data protection standards, understand the risks, understand the highest priority data types to protect. If you can prove you have done your best to protect against a data breach you can hopefully defend yourself well against a tort claim, and perhaps minimize damages to those affected by a breach.

7. What is the best practice after a company experiences a breach of data?

8. After a company experiences a breach of data they should

   1. Refer to Data Breach Response Checklist.

      1. Verify the Breach

      2. Contain & mitigate the breach

      3. Convene the Data Breach Response Team

      4. Investigate and Analyze the Data Breach

      5. Collect Data

      6. Analyze the Contract and Legal Implications

      7. Develop a Communications Plan

      8. Notify Affected Parties

      9. Post-Notification and Breach-Response Review

   2. Review internal data breach policies and procedures

   3. Review the state laws, and federal regulations in the event of a breach

   4. Get a lawyer

9. How to maintain compliance in this rapidly changing field?

   1. Stay up to date on laws concerning data protection, consumer rights, & cyber-security.

   2. Build a team who maintains the company policies and procedures on data protection, cybersecurity, and breach management.

   
   

Final Thoughts: 

This research paper was a pleasure to work on although sometimes difficult. I have taken a topic that I knew practically nothing about (especially from a legal perspective) and implemented a strategy to fully understand and answer all of the questions I set forth to pursue. I finally feel comfortable enough in my knowledge of this topic to move forward secure in knowing how to safeguard my data and prevent unnecessary lawsuits. More importantly I feel very comfortable researching any legal questions I might have in the future.