A Texas senator has proposed a bill that would make it harder for victims of data breaches to file class-action lawsuits against companies that mishandled sensitive data.
The 2018 Senate bill, sponsored by Republican state Sen. Shane Reeves, would require “private companies to be exempt from liability for cybersecurity events unless the cybersecurity event was caused by intentional, wrongful conduct, or gross negligence on the part of the state.” declare no civil liability in a class action lawsuit.'' This means victims must prove that the cybersecurity practices of the companies involved were insufficient to prevent the attack.
What does this bill say about corporate cybersecurity?
At a public hearing on the bill, Reeves explained the rationale behind his idea: Filing a lawsuit when they're trying to get back on their feet…if they're doing the best they can, they shouldn't have to spend millions of dollars to climb out of the hole. ”
The proposed bill appears to take a “not when, but when” approach to cyberattacks, meaning that if a hacker wants to steal data from a company, even if cybersecurity defenses are in place, , suggesting that it can and may be stolen. While this is a good approach to deploying threat prevention protocols, it also means protecting your business from as many angles as possible, with the goal of stopping cyber-attacks before they can make their way through your network. , is a worryingly defeatist view. Fight against cyber attacks from the government's perspective.
While companies need to prepare themselves for cyberattacks and build cybersecurity defenses (including training their employees in similar ways), it is important to It's about preventing and mitigating attacks as quickly and easily as possible.
Impact of human error and cyberattacks on legislation
The bill would not block all class action lawsuits after a data breach, but it would make it more difficult for victims to seek justice after a data breach. This is partly due to the nature of cyber-attacks.
STX Next research found that even though 90% of CTOs have implemented multi-factor authentication and 91% are using identity access management technologies for corporate security, 59% of CTOs believe human error is respondents said it is their biggest cybersecurity threat. This shows that even if an organization has robust cybersecurity, data breaches can still occur and will continue to occur.
That said, the bill states that cybersecurity incidents caused by “intentional, tortious conduct, or gross negligence” are still subject to litigation, and in fact, employees who accidentally allow hackers to access their network. This means that cyber-attacks caused by allowing access to the computer may be tolerated. court.
But if that's the case, the bill may not be as effective as Sen. Reeves hopes. Studies by various cybersecurity organizations have shown that 82% to 95% of all cyberattacks are caused by human error. Therefore, whether a company can sue seems to ultimately depend on whether the human error is determined to be intentional, wrongful, or grossly negligent.
