A Tennessee state senator has proposed a bill that would make it harder for victims of data breaches to launch class action lawsuits against the companies that mishandled their sensitive data.
Senate Bill 2018 was proposed by Republican state Senator Shane Reeves and "declares a private entity to be not civilly liable in a class action resulting from a cybersecurity event unless the cybersecurity event was caused by wilful, wanton, or gross negligence on the part of the private entity," meaning that victims would have to prove that the cybersecurity practices of the company involved were insufficient to prevent the attack.
What the bill says about corporate cybersecurity
In a hearing about the bill, Reeves explained the reason for its conception, saying: “We can’t stop that attack, but what we can do is try to put things in place so that they’re not being caught up in civil action lawsuits when they’re just trying to get back on their feet…If they’re doing what they can, then they should not have to spend millions of dollars to climb out of a hole”.
The proposed bill appears to take an "not if but when" approach to cyber attacks, implying if hackers want to steal data from a company, then they can and will, even if they have cybersecurity defenses in place. While this is a good approach to putting in threat defense protocols, as it means the company is protected from as many angles as possible with the aim of stopping the cyber attack before it can progress through the network, it is a worryingly defeatist way of looking at cyber attacks from a governmental standpoint.
While companies should absolutely prepare themselves and build their cybersecurity defenses as though they will suffer cyber attacks (including training staff in a similar way), the point of doing so is preventing and mitigating cyber attacks as quickly and easily as possible.
How human error and cyber attacks may impact the bill
While the bill would not block all class action lawsuits following data breaches, it would make it more difficult for victims to find justice following data leaks. This is, in part, down to the nature of cyber attacks.
When surveyed by STX Next, 59% of CTOs said that human error is the biggest cybersecurity threat to their organization, despite 90% of them deploying multi-factor authentication, and 91% using identity access management technology for company security. This shows that even if organizations have robust cybersecurity, data breaches can, and will, still happen.
With this being said, the bill does note that cybersecurity incidents caused by “wilful, wanton, or gross negligence” are still fair game for litigation, meaning that in practise cyber attacks caused by employees mistakenly allowing hackers access to their networks may be accepted in court.
If this is the case, however, then the bill may be less effective than Senator Reeves wants it to be—research by various cybersecurity organizations have found that between 82% to 95% of all cyber attacks are caused by human error. It appears, then, that whether or not a company can be litigated will come down to whether or not this human error is judged to be wilful, wanton or grossly negligent.
