By Kelly Frey
In the digitally driven marketplace, most companies understand that personal data collected on their websites must be protected. What isn’t quite so obvious is that even when a business exercises due diligence in protecting such data, it can still be liable for loss of data from external security flaws, such as the recently exposed and deeply pervasive Heartbleed bug which made the widely used OpenSSL encryption software – and the personal information OpenSSL is designed to protect – highly vulnerable to attack.
Could small businesses using OpenSSL encryption have thwarted the Heartbleed flaw outright? Probably not – it was a pervasive defect that went unpatched for months. But regardless of whether your business could have discovered or fixed the bug, it could still be liable for damages resulting from it.
The Power of Policies
All websites need to have “Terms of Use” and “Privacy Policy” provisions to inform users of the nature of the site’s security measures and how personal information is used. But sometimes the boilerplate language used in these privacy and security policies reference standards that are used to protect data and customer information that can lead to legal liability.
In the instance of the Heartbleed bug, many companies were not adequately prepared to immediately fix the problem once it was discovered. So while the off-the-shelf Terms of Use and Privacy Policy provisions may have worked fine for “business as usual,” their language did not anticipate and could not adequately protect businesses from consumer liability for loss of data through Heartbleed.
Additionally, failure of a business to comply with its own Terms of Use or Privacy Policy can lead to civil and class-action lawsuits or even federal agency sanctions. And a failure to adequately inform consumers of data breaches or the loss of their personally identifiable information can inadvertently result in violations of state law.
The Takeaway
Though most of the websites vulnerable to the Heartbleed bug have been fixed, other flaws in Internet security will inevitably arise. Business owners and CIOs should take this opportunity to be forward-thinking about how to protect their customers and themselves before they find themselves in a sticky legal situation.
- Revisit privacy and security policies. All companies need to have privacy and security policies posted on their websites and update them in response to any known vulnerabilities. At least once a year, and especially after any known security vulnerability, you should edit your security procedures and your posted privacy and security policies to ensure they are factually correct, consistent with industry standards, and personalized to reflect the digital environment within which your business actually operates.
- Be ready to respond. It is critical for companies to have explicit remediation processes in place to quickly address security issues. For smaller businesses, this may require hiring someone with internal Internet security expertise or seeking out consultants to assist in quickly responding to security issues. Failure to adequately respond to security issues could substantially increase your business’s legal risks and liability.
- Plan for “the next bug.” As a business, if you’re going to engage in digital commerce, you must incorporate the risks of security issues inherent in the Internet and budget and plan accordingly. Allocate funds to both prevent security breaches and to quickly deal with them when they do occur. Make sure your insurance policies cover liability associated with security breaches and loss of data. Also, have an “escalation list” of those professionals such as lawyers, digital forensic specialists and public relations professionals that can immediately assist with damage control and remediation if your consumers’ information is compromised.
Kelly Frey is a partner in the Nashville office of Dickinson Wright, PLLC. He focuses his practice in technology law and intellectual property law. Reach him at kfrey@dickinson-wright.com or (615) 620-1730.
