As cyberattacks continue to grow in frequency and sophistication, regulators and law enforcement are demanding that companies report data breaches within short timeframes. The justice department is also targeting federal contractors that misrepresent their cybersecurity practices with False Claims Act litigation.
Data, privacy & cybersecurity partner Ed McNicholas told Law.com, “That would be another potential line of liability for executives, not to mention shareholder derivative actions and securities actions you’ll see in a civil context.”
And the SEC, with strict data-breach-reporting rules for public companies that are expected to be finalized this year, may be a tougher enforcer than even the DOJ, McNicholas said. “All in all, there’s a plethora of potential avenues for executives to be held personally liable both on civil and criminal grounds for failing to report a data breach; the effect of which will make executives much more likely to err on the side of reporting a data breach earlier.”
McNicholas said that while civil actions, not necessarily criminal charges, will be the primary driver of enforcement against executives, security chiefs will still be tested on how to best to handle data-breach reporting.
“I think a security chief will be put in a much more difficult circumstance in terms of not wanting to disclose a vulnerability in their company but needing to comply with the law,” he said. “It is, and will remain, a balancing act.”
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.