Every business, regardless of sector or industry, is covered by a privacy law or regulation. In our last two posts we addressed common cybersecurity threats, and the different types of cybersecurity exposures. In today’s post, we look at types of civil and regulatory liability created by state and federal law.

Information Security and Regulatory Risks by Ryan J. CooperThe Consumer Sector

The most common privacy laws are state data breach notification laws. Forty-eight states, the District of Columbia, and Puerto Rico each have a specific law that may apply if a business is the victim of a data breach. Each state’s data breach notification law has specific terms. For some, the law applies if information has been accessed without authorization. For others, the data must have been acquired without authorization. Complicating matters, the applicable law is not necessarily determined by the location of the business, but rather by the residence of the individual whose personal information was accessed or acquired.

In the event of a breach, a business that does not comply with the law’s requirements may be subject to state investigation and civil lawsuits including class actions. Any business that has employees or data on individual consumers should be prepared to incorporate data breach notification into their cybersecurity plan.

The Financial & Healthcare Sectors

Specific sectors, such as financial services, are subject to additional laws and regulations. At the federal level, Title V of the Gramm-Leach-Bliley Act (GLBA), has produced regulations known as the Privacy Rule and Safeguards Rule, governing how covered financial businesses handle and protect consumer information.

The healthcare sector is subject to numerous regulations, including the Health Insurance Portability and Accountability Act (HIPAA). Like GLBA, HIPAA applies to certain covered entities and their vendors, and similarly regulates both information privacy and information security.

At the state level, New York’s Department of Financial Services has recently implemented comprehensive cybersecurity regulations covering a wide variety of businesses including insurance brokers, check cashers, private bankers, mortgage servicers, and numerous others. The regulations are particularly impactful because they apply to the third-party vendors who service covered entities, including law firms, ediscovery vendors, and many others.

Businesses that fail to comply with these laws and regulations face a host of potential penalties. In addition to regulatory investigations, each statute includes significant penalties and fines. In addition, where a violation leads to consumer harm, a business may find itself subject to lawsuits and class actions.

Comprehensive Information Security Plans

A comprehensive information security plan can mitigate most of the risks we’ve discussed in this series, as well as many we haven’t touched on. These plans should be tailored for each business’s specific operations and risk profile. Experienced information governance counsel can walk you through the steps of implementing the necessary administrative, technical, and physical safeguards to protect your business’s information assets while mitigating regulatory risk.


Ryan J. Cooper, Esq., CIPP/US
600 Linden Place
Cranford, NJ 07016