As cyber threats continue to advance, we are seeing more regulatory changes to help safeguard data. We are also seeing more litigation as victims of breaches try to recoup their losses. The key question that impacts both developments is “Did the breached organization practice Duty of Care?”
In simple terms, ‘Duty of Care’ can be defined as the responsibility of one party to prevent harm to others.
This concept is becoming more prevalent in business operations – specifically cybersecurity. Who is responsible in the event of a data breach? If a hospital is attacked, and the hacker group stole electronic personal health information (ePHI) with ransomware, how is this resolved? Many questions arise:
- Did the hospital do everything reasonable to secure the sensitive data?
- Did they practice due care when managing medical records or networks?
- Was there enough training for new people who access private information?
- What is the Business Continuity Plan (BCP)?
- What is the Data Loss Prevention (DLP)?
- How do they further protect their patients from identity fraud?
- Will cyber insurance cover costs?
Defining Duty of Care is the main focus of litigators and regulators to require for organizations to establish ‘reasonable security’. This requirement is included in many privacy laws and proposed bills and cited in litigation. For those still determining how reasonable security applies to your business, it is all based upon your organization’s risk profile. There are sources to help guide you through the process.
The DoCRA Council. DoCRA stands for Duty of Care Risk Analysis. The not-for-profit presents principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. Duty of care risk analysis helps organizations determine whether they apply safeguards that appropriately protect others from harm while presenting a reasonable burden to themselves. The DoCRA standard demonstrates how to manage an organization’s risk for their specific mission, objectives, and obligations.
The Sedona Conference. The Sedona Conference is a nonpartisan, nonprofit research and educational institute dedicated to the advanced study of specific law and policy, including privacy and data security law. The Sedona Conference Commentary on a Reasonable Security Test
LEGISLATION, ACTS, BILLS with DUTY OF CARE
‘Duty of Care’ in passed legislation or proposed rules.
Kids Online Safety Act
SEC 3: Duty of Care
“(a) BEST INTERESTS.—A covered platform has a duty to act in the best interests of a minor that uses the platform’s products or services.
(b) PREVENTION OF HARM TO MINORS.—In acting in the best interests of minors, a covered platform has a duty to prevent and mitigate the heightened risks of physical, emotional, developmental, or material harms to minors posed by materials on, or engagement with, the platform,”
Colorado Privacy Act
6-1-1308. Duties of controllers.
“(5) A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.”
Data Care Act (DCA)
SEC. 3. PROVIDER DUTIES.
“(a) IN GENERAL.—An online service provider shall fulfill the duties of care, loyalty, and confidentiality under paragraphs (1), (2), and (3), respectively, of subsection (b).
(b) DUTIES.—
(1) DUTY OF CARE.—An online service provider shall—
(A) reasonably secure individual identifying data from unauthorized access; and
(B) subject to subsection (d), promptly inform an end user of any breach of the duty described in subparagraph (A) of this paragraph with respect to sensitive data of that end user.”
The Massachusetts Information Privacy Act (MIPA) (S46)
SOURCE: Loeb & Loeb
“MIPA regulates automated decision-making and imposes duties of care, loyalty and confidentiality. Further, these duties must be pushed down to any third-party recipient. Covered entities must take reasonable steps to ensure that third parties comply with these duties and obligations. A covered entity must inform the MIPA-created Massachusetts Information Privacy Commission if a data processor or a third party violates the MIPA.”
New York Privacy Act (NYPA)
Duty of Loyalty & Care
“The proposal also contains a “duty of care,” requiring controllers to conduct and document annual, nonpublic risk assessments for all processing of personal data.”
SEC proposes broad new cybersecurity risk management rules for investment advisers and funds Commission seeks public comment on wide range of issues in proposal
“In the release, the SEC notes, that as fiduciaries, investment advisers owe their clients a duty of care and a duty of loyalty and, as such, already owe an obligation to protect their clients’ interests, which includes minimizing risks that could lead to operational disruptions or the loss or theft of clients’ personal information.”
LITIGATION & SECURITY DUTY OF CARE
News regarding ‘duty of care’ in litigation matters and risk management.
Shareholders Seek to Hold Current and Former SolarWinds Officials Liable for Massive 2020 Security Breach
“the plaintiffs claim the board of directors breached their fiduciary duty of loyalty and care through their bad faith failure to enact proper oversight of SolarWinds’ cybersecurity.”
“Under a duty of care claim, the question becomes whether the directors were informed of all material information reasonably available on the specific, relevant topic, and whether they acted on that information as a reasonably prudent person would.”
SIDDHARTH MEHTA, et al., Plaintiffs, v. ROBINHOOD FINANCIAL LLC, et al., Defendants.
“Plaintiffs further allege that Defendants breached their duty of care in their manner of collecting, maintaining, and controlling their customers’ sensitive personal and financial information.”
BUCKLEYFIRM.COM: District Court: Employees are not “customers” under California Customer Records Act in breach lawsuit
“the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care.”
“In dismissing the case, the court concluded, among other things, that the plaintiffs failed to plead facts showing specific measures that the company did or did not take, such as data encryption, to protect employee data.”
CASETEXT.COM: IN RE EQUIFAX, INC., CUSTOMER DATA SECURITY BREACH LITIGATION
“The Court concludes that, under the facts alleged in the Complaint, Equifax owed the Plaintiffs a duty of care to safeguard the personal information in its custody. This duty of care arises from the allegations that the Defendants knew of a foreseeable risk to its data security systems but failed to implement reasonable security measures.”
JURIST.ORG: New Risks and Old Challenges – Navigating Security Threats in Ukraine to Deliver Humanitarian Aid
“Security managers have been forced to closely look at their IT and cyber security infrastructure to protect the data of their staff and beneficiaries in line with their duty of care obligations, the Do No Harm principle, as well as legal GDPR requirements.”
FINANCIALEXECUTIVES.ORG: Duty of Care: The Board’s Role in Navigating Foreseeable Risk
” At the end of the day, there is no doubt that it is within the board’s duty of care to provide meaningful cybersecurity oversight and to hold management accountable.”
Kathryn M. Rattigan, J.D. of ROBINSON+COLE: Flying Cameras: Gaps in Drone Regulation and How Courts Can Fill Them … at Least for Now
“Faced with another disruptive technology, courts today will likely develop case law that: 1) redefines the duty of care for drone operators for the audio or visual data that they collect in-flight which infringe on the seclusion of others,”
We will update on ‘duty of care’ and ‘reasonable security’ developments, plus resources to help navigate how to be in compliance and mitigate risks.