[BreachExchange] Corporate Cybersecurity Can Only Be as Strong as Your Weakest Link

[Audrey McNeil]

http://www.jdsupra.com/legalnews/corporate-cybersecurity-can-only-be-as-
37145/

While corporate executives are increasingly becoming aware of *their*
obligation
to be informed of cybersecurity threats and the steps being taken by their
company to prevent data breaches, it is equally important for executives to
ensure that the employees are educated with respect to cyber threats. The
data breach prevention protocol of a company may only be as strong as its
weakest link.

Negligence or recklessness by a company’s employee which contributes to a
successful data breach may expose the company to liability. For example,
employees may create risk by negligently clicking on what is deemed to be
an obvious phishing link, or recklessly updating social media.

The scope of negligence in the cyber context remains largely unexplored by
case law. However, given the increasing awareness of the frequency and
nature of cyber threats, the standard of care owed by a company to those
individuals whose personal data is stored may expand. With this expanded
duty, companies could be exposed to increased vicarious liability for their
employees’ mistakes.
Vicarious Liability: The Test

A company may be vicariously liable for an employee’s negligent acts if the
acts are committed in the course of employment. This test gives rise to two
questions: (1) who is an employee and (2) what activities are committed in
the course of employment?
Who is an employee?

The question of who is an employee for purposes of determining vicarious
liability is not as simple as determining whether an individual is
designated an employee by the company.

Generally, a party is not vicariously liable for the tortious actions of an
independent contractor.1 In determining whether a party acts as an employee
or as an independent contractor, courts consider a number of factors
including the amount of control exercised over the worker, whether the
worker uses his or her own equipment, whether the worker hires independent
help, whether the worker takes on financial risk, the degree of
responsibility for investment and management held by the worker and the
worker’s opportunity for profit.2

Do not assume that because someone is not designated as an employee, that
liability for cyber breaches do not flow from their negligent, reckless
conduct or intentional conduct.
What activities are committed in the course of employment?

Activities committed in the “course of employment” include activities that
the employer authorizes, as well as activities carried out by the employee
using the authority granted to them by the employer.3 If the employer did
not authorize the wrongful activity, the court will consider whether the
employer “introduced the risk of the wrong”.4 Put another way, the court
may consider whether the employer cloaked the individual with the authority
through which they committed the wrong.

Do not assume that because an employee is not authorized to engage in
particular tasks that the company will not be exposed to the employee’s
negligent or reckless conduct in connection with cyber threats.
Conclusion: Application in Cybersecurity

In the world of cybersecurity, the actions of an organization's employees
are critical. Companies must train employees around cybersecurity risks and
ensure sufficient oversight of employees with access to personal data.

Data breaches are inevitable; but liability for those breaches may be
minimized. Proper training and supervision of employees is an essential
element of data breach prevention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170410/c29889a8/attachment.html>