June 6, 2018

Bookmark and Share

Cybersecurity Legal Compliance Update: Spring 2018 Brings Sea Change to Data Breach Notification Laws

Key Recent Developments:

  • GDPR Goes Live in the EU with Global Reach and Tough New Data Breach Notification Requirement.
  • Arizona and Other U.S. States Toughen Data Breach Notification Laws Amidst Escalating Cyber Threats.
  • South Dakota Becomes the 49th State to Adopt a Data Breach Notification Law and Includes an Expansive Definition of “Breach.”
  • Alabama Becomes the Last State to Adopt a Data Breach Notification Law, But Opens the Door to Even Higher Evolving Cybersecurity Standards.
  • Existing State Data Breach Notification Standards Prove Critical in Community Banks’ Legal Challenges in Pursuing Retailer in Massive Credit Card Data Breach.

 I. Introduction – 2018 Brings “Cybersecurity Spring”

               “Cybersecurity Spring” would be an apt name for this season in 2018. In the aftermath of the Equifax and other massive data breaches in previous years, the first five months of 2018 have ushered in data breach notification requirements that are both broader and tougher. These tougher legal requirements coincide with the arrival of the May 25, 2018 enforcement date of the European Union’s globally reaching General Data Protection Regulation (GDPR). It is no overstatement to say that spring 2018 marks a sea change in the legal and regulatory environment for cybersecurity standards. The legal landscape for cybersecurity and data privacy requirements is undergoing dramatic changes this year, and businesses need to adjust their risk-management efforts accordingly.

               The GDPR imposes stringent uniform and mandatory data breach notification requirements for the first time in the European Union (EU). These requirements drastically shorten the time available to respond to a data breach involving protected personal data from an EU resident. At the same time, several U.S. states, including Arizona, have strengthened their existing data breach notification requirements. In addition, the final two states that lacked such requirements, South Dakota and Alabama, recently adopted new cybersecurity statutes. Businesses now face data breach notification requirements in all 50 states, with potential monetary penalties for violations in many jurisdictions that are significantly higher than ever before.

               The foregoing legal changes are being driven by an escalating public concern arising from the cyber threat environment. Former FBI Director Robert Muller ominously stated back in 2012:

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

               Recent headlines demonstrate that his prediction is proving truer by the day. For example, on the Monday following the GDPR’s Friday, May 25, 2018 enforcement date, the Bank of Montreal and Canadian Imperial Bank of Commerce reported that cyber attackers may have stolen the personal data of nearly 90,000 customers. The Canadian banks reported that the criminal hackers demanded payment of one million dollars, payable in a cryptocurrency, and threatened to post the stolen personal data online if the criminals’ demands were not met. Earlier in May 2018, the Mexican central bank reported that thieves may have stolen more than 15 million dollars’ worth of pesos in another hack. In the face of these waves of cyber-attacks, the trend for governments to tighten cybersecurity requirements for businesses will certainly continue.

               The key takeaway point is that businesses need to stay abreast of this trend as it reshapes the legal landscape and risk profile for cybersecurity. With respect to the 50 states with data breach notification statutes (plus the District of Columbia) now in place, the legislative trend toward replacing flexible standards with hard deadlines is spreading – with serious monetary penalties for late compliance. The need to be fully prepared to respond to a data breach incident has grown far more urgent than existed in 2017. Consequently, businesses should make sure they have well-conceived incident response plans in place to prepare to handle data breach incidents.

               These laws create a sea change in the need to be prepared to respond promptly to data breaches. The trend toward tougher data privacy protection and breach notification requirements will expose businesses that form weak links in the chain of connected payment networks to substantial fines and damages. The landscape will undoubtedly look very different after 2018 than before, with the changes permanently altering best practices for prudently managing cybersecurity-related legal and regulatory risks.

II. GDPR Goes Live with Global Reach and Sweeping Potential Implications for U.S. Businesses

               The General Data Protection Regulation (GDPR) has been on the books in the European Union since 2016, but the regulation only became fully enforceable on May 25, 2018. For those who may still be wondering if there is a grace period, there was and it expired on that date. The GDPR provides for potentially massive monetary penalties for certain categories of violations up to a maximum of 20 million euros or four percent of global revenues (whichever is higher), in addition to imposing liability for damages.

               The GDPR unleashes the legal equivalent of a hurricane upon the landscape of data privacy and security law. Although the GDPR protects the personal data only of people (known as “data subjects”) in the European Union, the regulation has global reach: The GDPR applies to businesses anywhere that control or process that data. Businesses that do not target customers in the European Union might be exempt from certain requirements under the GDPR, but the protections for personal data will still apply if the business controls or processes the personal data of an individual in the EU in connection with the “offering of goods or services.”

               A lot of local businesses in Arizona may find that they fit into that category because they have personal data regarding at least one EU resident. (By the way, despite “Brexit,” the United Kingdom has already announced that the GDPR will apply there, too.)

               Among the GDPR’s most salient features are that living persons (not legal entities) in the EU (known as “data subjects”) have:

  • the right to request and receive copies of their personal data from any business; 
  • the right to have their personal data transferred from one to another business;
  • the right to have their personal data deleted (which is known as the right of erasure, or the “right to be forgotten”);
  • the right to object to inaccuracies and have them corrected; and
  • the right to object to having computers use software to make important decisions regarding them without human judgment.

               These rights are limited or superseded in many circumstances, but businesses generally need to respond to these requests within 30 days. Having the technological and logistical ability to respond to these requests has required and will require businesses to make changes to their information technology systems.

               Requiring businesses to make changes to their information technology systems is a feature, and not a bug, of the GDPR. The GDPR requires businesses not only to use appropriate cybersecurity or data protection measures, but also to deploy a set of principles called “privacy by design.” These principles, once aspirational, now exist as a legal requirement. “Privacy by design” reflects the EU’s intention that businesses effectively “bake” privacy protection into the way they design and implement their information systems and related policies and practices.

               The GDPR is far more than a set of technological or logistical requirements. The GDPR requires businesses to adopt data privacy and cybersecurity-focused changes to their policies, practices, training, and company cultures. The EU intends awareness of the GDPR and related requirements to become a new business norm, with future-proofing embedded into the law based on an explicitly acknowledged awareness that technology will continue to evolve.

               There are a lot of details and complexities to this new data privacy law; it has 99 articles. The GDPR also has a built-in principle of accountability. Under the accountability principle, businesses must document their efforts to comply with the GDPR. The accountability principle allows for a degree of flexibility, so long as businesses properly consider their compliance strategies – but businesses covered by the regulation need to be prepared to demonstrate how they accounted for their compliance and adjusted it for their circumstances in light of the risks presented.

               For example, many businesses rely on computer backup tapes, often stored in remote locations, to back up their data. Doing so is absolutely critical to protect against the risk of many types of cyber threats, including against ransomware. The GDPR does not yet require that businesses have the capability to delete the personal data of EU persons from such backup tapes. However, if a business does not plan to delete personal data upon request in such circumstances from its backup tapes, then that business should prepare appropriate memoranda documenting their reasoning process.

               Practically all of us have recently seen our email inboxes flooded with notices regarding updated privacy policies from businesses that consider us to be past customers, and requests to confirm our consent to receive certain marketing materials from those businesses.

               The GDPR generally requires that businesses covered by the regulation document the consent of recipients of businesses’ electronically delivered marketing materials and to provide an easy way to 
opt-out of receiving those materials. Privacy policies must be written in easily understood language that is more likely to be read by recipients. Documented consent is not the only basis for sending electronic communications – legal or other legitimate grounds will suffice. However, consistent with the GDPR’s accountability principle, businesses should document their grounds or justifications for their electronic communications, at least where those grounds are not apparent.

               Another critical aspect of GDPR for certain businesses – particularly those that handle massive amounts of personal data or particularly sensitive data (like health, financial, or criminal records) of people in the EU – is that those businesses can be required to designate a “Data Protection Officer.” This “DPO” must have direct reporting access to the highest level “C-Suite” executives in their companies.

               A critical aspect of the GDPR is that it requires that businesses notify their supervising governmental authority (usually an Information Commissioner’s Office or “ICO”) within 72 hours of discovering a data breach. Those are 72 hours, period, not 72 business hours. It won’t matter if the breach is discovered in the middle of the night, or on a weekend or holiday, or both (which frequently happens with hackers).

               This EU-wide mandatory data breach notification deadline constitutes a huge change in Europe (which previously fell behind most of the U.S. states in that regard). Furthermore, 72 hours is a far shorter deadline than what U.S. businesses have faced to date. That deadline will set a benchmark for how promptly many businesses should be prepared to respond to data breaches. As a practical matter, that level of preparation requires that businesses review their data breach incident response plans – as well as their intrusion detection systems – to ensure that their lines of reporting and decision-making are ready to respond extremely rapidly.

               In the United States, data breach notification requirements are governed by state law. As of spring 2018, all 50 U.S. states have enacted data breach notification laws. The current deadlines under those laws are generally between 30-60 days, and most states still don’t have hard deadlines. (Until this year, for example, Arizona didn’t have a specific deadline for data breach notifications, but that has changed, as discussed below.)

               Critically, as previously noted, any business subject to the GDPR should be prepared to provide the required breach notification to a supervising authority within 72 hours. Such a short window requires substantial advance preparation. Aside from that extremely tough deadline, businesses are also required to notify the affected individuals without undue delay. When a business has prioritized and notified an EU supervising authority within 72 hours, it may become more difficult to justify waiting as long as allowed under U.S. state laws before notifying affected customers. Even if legally allowed to wait longer to notify individuals when their personal data have been breached, businesses will face reputational risks when any delays take place. The history of data breaches to date has shown that these public relations risks can be as severe, or worse, than the legal risks faced by many businesses if they suffer a high-profile data breach.

               The GDPR’s much tougher data breach notification requirement did not come into effect in a vacuum.  The May 25, 2018 enforcement date of the GDPR arrives in the context of an already existing trend gathering strength in the U.S. to impose tighter requirements for data breach notifications. It is important to recognize that, while the GDPR has understandably been receiving a massive amount of media attention, the data breach notification requirements are independently getting tougher in the United States as well.

III. Arizona and Other States Toughen Data Breach Notification Laws Amidst Escalating Cyber Threats

               In advance of the GDPR’s May 25, 2018 enforcement date, several U.S. states, including Arizona, amended their own data breach notification statutes to strengthen data privacy. Their unmistakable message marks the spring of 2018 as a pivotal year with respect to the legal landscape for data security, with cybersecurity standards going higher and getting tougher.

A. Arizona Expands and Toughens Mandatory Data Breach Notification Statute

               On April 11, 2018, Governor Doug Ducey signed House Bill 2154 broadening Arizona’s definition of protected “personal information,” and imposing a hard deadline for reporting data breaches for the first time in the state. The new statute becomes effective on August 3, 2018.

               Earlier in the year, Arizona Attorney General Mark Brnovich announced that his office had helped draft State Representative Shope’s bill, HB 2154 (Personal Information; Data Security Breaches). Attorney General Brnovich stated at the time:

Over the past several years, millions of Arizona residents have had their personal information compromised by cybercriminals. A stronger data breach notification law would not only protect consumers, it would provide clarity to businesses and government agencies about their obligations after a data breach.

               Regarding his introduction of the bill, Rep. Shope stated: “Arizonans have a basic right to have their private information remain just that, private.”

               Having helped craft and support HB 2154, the Arizona Attorney General has publicly made strengthening cybersecurity in the state a top priority for his office this year. In an interview with the International Association of Privacy Professionals, Attorney General Brnovich (discussing his goals as the current Chairman of the Conference of Western Attorneys General (CWAG), pointed to the pivotal nature of legal changes regarding cybersecurity in the aftermath of recent data breaches and privacy scandals:  

2018 is the year to have some frank conversations about privacy and data security issues. In the wake of the massive Equifax data breach and now the Facebook privacy controversy, these discussions are timely and necessary. Over the last several years, state attorneys general have taken on an increasing role in addressing complex legal issues of this magnitude, and my goal is that protecting the privacy of our citizens becomes the focus of our next big bipartisan effort.

               The passage of HB 2154 and its being signed into law by Governor Ducey, a former businessman whose platform includes his “Regulation Rollback” program to reduce business regulations, unmistakably reflects how 2018 marks a sea change in cybersecurity-related legal requirements. Consistent with his intention to make strengthening cybersecurity in the state a priority, on March 1, 2018, the Governor issued an executive order forming an Arizona Cybersecurity Team to “enhance collaboration among government, private sector, law enforcement, non-profit organizations, higher education, and the greater Arizona community to address cybersecurity statewide and advise and provide recommendations to the governor.” After years of ever-worsening data breaches, we have reached a critical tipping point when government leaders are pressing to make cybersecurity a priority, and doing so includes imposing penalties on businesses if they do not provide prompt data breach notifications to affected individuals.

1. Expanded Definition of “Personal Information” Within the Scope of Protected Personal Data

               Reflecting changes relating to modern data protection technologies as well as the escalating breadth and number of cyber-attacks, HB 2154 expanded Arizona’s prior statutory definition of "personal information" to include biometric data, such as the data used in fingerprint or facial recognition scanners ubiquitous on modern smart phones. The definition of “personal information” was also expanded to include health insurance (medical or mental health) as well as diagnosis and treatment information, and to include, among other things, login information for online accounts, and private keys used to authenticate or sign electronic records.

               These changes align Arizona with a more expansive scope of legal protection for data – part of the current trend in the United States and elsewhere – reflecting an updated view of the additional categories of information that are targeted by hackers. While not as encompassing as the GDPR’s extremely expansive definition of “personal information” subject to protection (which reflects deeply rooted historical concerns in Europe about politically oppressive uses of personal information), Arizona’s newly adopted definition places considerably more information of potential commercial value to cyber criminals under protection.

2. Specific Relief for Breach of Login Information for Online Accounts

               With respect to breaches that are limited to the login credentials – typically a person’s online username and password – HB 2154 specifically allows for a type of notice to users that directs them to change their passwords. Account holders should also be directed to choose different security questions and answers for password resets and other purposes.

3. Brand-New Hard Deadline for Data Breach Notifications of 45 Days

               Like most current data breach notification statutes, Arizona’s prior statute required that in the event of a data breach, notice should be provided "in the most expedient manner possible and without unreasonable delay." The requirement for reasonable promptness has come under increasing attack by legislators throughout the country as too ambiguous and inadequate in the face of delays in several massive data breaches, including 2017’s staggeringly severe Equifax breach affecting practically all Americans who have credit records. With HB 2154, Arizona will require that notice be provided within 45 days after a “security system breach” has occurred. In its original draft, HB 2154 included a 30-day deadline, but that timeline was increased after some members of the business community expressed concerns based on experience with handling breaches. If the breach involves more than 1,000 affected individuals, then the business suffering the breach must also notify the Attorney General and the three largest nationwide consumer reporting agencies.

4. Significantly Increased Potential Civil Penalties

               Before HB 2154, the Attorney General could seek a $10,000 civil penalty "per breach of the security system or series of breaches of a similar nature." The newly amended statute increases the potential penalties to “the lesser of ten thousand dollars per affected individual or the total amount of economic loss sustained by affected individuals," with a "maximum civil penalty from a breach or series of related breaches" of $500,000.

B. Like Arizona, Oregon and Delaware Broaden and Toughen Their Data Breach Notification Statutes

               Paralleling the changes Arizona made, Oregon and Delaware have recently amended their data breach notification statutes that both broaden the scope of their protection of personal information, and likewise impose hard deadlines for notifying affected individuals. Both states expanded their definitions of “personal information” to include biometric data as well as health and insurance information. Also, like Arizona’s new statute, Oregon’s newly amended statute – which became effective on June 2, 2018 – provides a business with a deadline of only 45 days to notify affected individuals of a data breach. Delaware’s new statute – which became effective on April 14, 2018 – includes a slightly longer 60-day deadline.

               In addition, Delaware’s statute now includes a requirement that businesses provide one year of free credit monitoring to affected individuals if the data breach included their Social Security numbers. In doing so, Delaware joined California and Connecticut in imposing this additional requirement.

               Delaware’s recent amendments also include a requirement that expressly governs and imposes cybersecurity standards for companies in Delaware that “own, license, or maintain personal information.” Such companies must “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.”

C. South Dakota Becomes the 49th State to Adopt a Data Breach Notification Law and Includes an Expansive Definition of “Breach”

               Further reflecting the trend toward tougher legal requirements relating to cybersecurity, the last two states – South Dakota and Alabama – passed their data breach notification statutes this past spring. South Dakota was the 49th state to pass a data breach notification law, followed by Alabama as the 50th state. Both states included provisions with potentially wider implications for businesses, as cybersecurity standards continue to develop in this rapidly changing environment of accelerating cyber threats.

               South Dakota’s new law, Senate Bill 62, takes effect on July 1, 2018.  Consistent with the trend toward imposing hard deadlines for notifying individuals affected by a data breach, the new South Dakota statute sets a deadline of 60 days for sending out notifications, unless an exception applies. Maximum penalties exist up to $10,000 per day per violation, plus legal fees and costs incurred by the state attorney general.

               In addition to imposing requirements similar to those imposed under other states’ data breach notification statutes, South Dakota includes an explicitly broadened definition of an “unauthorized person.” Under South Dakota’s new law, an “unauthorized person” includes a person who was actually authorized to access the personal data (such as an employee or agent allowed to use the computer system), but who “has acquired or disclosed the personal information outside the guidelines for access or disclosure established by the information holder.”

               This expanded definition explicitly makes an insider or agent (or potentially a vendor authorized to have such access) effectively a “hacker” for purposes of the statute because it defines a “breach of a security system” as the unauthorized acquisition of . . . personal or protected information . . . .” Although a breach caused by an insider or agent is presumably already covered by data breach notification statutes similar to South Dakota’s new law, its expanded definition of “unauthorized person” serves a purpose consistent with the heightened intention to change business cultures. The expanded definition reinforces that businesses must diligently police and protect personal data internally through appropriate policies and practices.

D. Alabama Becomes the 50th, But Not to Be the Least, Opens the Door to Even Higher Evolving Cybersecurity Standards

               On March 28, 2018, Alabama became the 50th state to pass a data breach notification statute. The “Alabama Data Breach Notification Act of 2018 (Senate Bill 318) became effective on June 1, 2018.

               Although Alabama was last, it made sure it was not least by expressly incorporating cybersecurity requirements. Many of the older data breach notification statutes were focused on the more limited purpose of ensuring that businesses notify their customers affected by a data breach. (As discussed below, the limited purpose of an older generation data breach notification statute became a critical limitation on the potential liability of a retail store chain in successfully defending against a lawsuit brought by several banks that suffered losses from the chain’s massive data breach.)  

               The new Alabama statute requires that covered entities, if not already subject to federal or other state laws, regulations, or other requirements regarding data breaches, “must implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security . . . .” In this fashion, Alabama’s statute imposes a requirement similar to that of the GDPR (and of Delaware, as noted above), which requires that covered businesses deploy appropriate cybersecurity measures without specifying them.

               The Alabama approach implicitly requires standards to evolve with technology and the circumstances, which presumably include both the business’s situation, the nature and risks of the data being stored and processed, and the nature of the cyber-threat environment.

               Alabama’s statute refers to the following factors as being pertinent to what qualifies as “reasonable security measures”: 

  • Designation of an employee(s) to coordinate the covered entity’s security measures to protect against a breach of security;
  • Identification of internal and external risks of a breach of security;
  • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
  • Retention of service providers that are contractually required to maintain appropriate safeguards for sensitive personally identifying information;
  • Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information; and
  • Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.

               These cybersecurity requirements already existed (as acknowledged and referenced in the Alabama statute) for regulated businesses storing particularly sensitive personal data such as banks and healthcare providers, who have security standards arising from federal laws and regulations. However, for businesses in industries not previously subject to heightened data security standards, Alabama’s recital of several cybersecurity practices (including an explicit requirement to engage in risk assessments) reflects a considerable and direct expansion of the requirements imposed on their storage and use of personal data.
               In another aspect that echoes the GDPR’s requirements, the Alabama statute contains a data disposal provision. The GDPR generally requires that businesses keep data only for as long as needed for a legitimate purpose, or to comply with legal requirements. Similarly, the Alabama statute requires covered entities “to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records are no longer to be retained pursuant to applicable law, regulations or business needs.”

               In expressly imposing cybersecurity requirements on businesses that store or process personal data, Alabama has joined the states that are moving away from the limited scope of merely imposing data breach notification requirements. These states are moving toward requiring cybersecurity measures as an important aspect of doing business. As the legal landscape continues to be reshaped, these types of changes may ultimately have implications for the scope of potential liability in data breach situations. One example of how the requirements imposed under data breach notification laws may interact with and affect the scope of business liability for data breaches is discussed below.

IV. Existing Data Breach Notification Standards Prove Critical in Community Banks’ Legal Challenges in Pursuing Retailer in Massive Credit Card Data Breach

               The wave of changes to toughen data breach notification requirements may have downstream consequences on potential business liability beyond the possibility of civil fines for failing to send timely notices. It is impossible to predict precisely all future potential liability implications, but businesses should monitor developments as these new laws go into effect. One potential risk that exists, at least hypothetically, is illustrated in a recent federal case.

               On April 11, 2018, a federal court of appeals issued its decision in a case that illustrates how the precise requirements of state data breach notification statutes may affect the scope of business liability. State legislatures’ continued efforts to expand and toughen these requirements may have implications for the scope of potential liability for businesses that suffer data breaches.

               In Community Bank of Trenton v. Schnuck Markets, Inc., four banks sued Schnucks Markets, a grocery store chain in the Midwest, for damages arising from a massive data breach that caused the banks’ losses. After being hacked, Schnucks announced the data breach in March 2013. The banks alleged that “Schnucks was the weak security link” in the credit card payment system, causing the four banks to incur tens of millions of dollars in damages above the limited reimbursement the banks received through the Visa and MasterCard networks’ cost-recovery process.

               In December 2012, hackers gained access to and installed malware on Schucks’ computer network in Missouri, and over the following four months harvested and sold customer credit card data. Criminals used this illegally obtained data to create counterfeit credit cards and make unauthorized cash withdrawals from the banks. Schnucks reported that it learned of the breach on March 14, 2013, and publicly announced it over two weeks later on March 30, 2013. The banks estimated that for every day the breach continued, 20,000 credit cards were compromised for a total of 2.4 million cards. In the time between March 14 (when Schnucks discovered the breach) and March 30 (when Schnucks notified the public), over 300,000 cards were compromised.

               The banks’ losses included “employee time to investigate and resolve fraud claims, payments to indemnify customers for fraudulent charges, and lost interest and transaction fees on account of changes in customer card usage.” The banks contended that Schnucks failed to deploy “numerous security steps [that] could have prevented the breach . . . required by the card network rules.”

               The federal court dismissed the banks’ claims under Illinois and Missouri law, applying a legal doctrine known as “the economic loss rule” to bar claims that are governed by contractual rules limiting the retailer’s damages under the card network rules. The court also dismissed the banks’ negligence per se claims because the state data breach notification statutes in Illinois and Missouri do not impose “liability for personal data breaches, opting instead to limit their statutory intervention to notice requirements.”

               This case illustrates how the specific requirements of applicable data breach notification requirements may affect business liability in the future. The federal court stated that the banks failed “to show, as the first element of a negligence per se action, that a statute or ordinance has been violated.” There was no showing that Schnucks violated the requirements of the Illinois or Missouri data breach notification statutes in effect in 2013.

               The banks also alleged Schnucks violated an Illinois statute governing both consumer fraud and deceptive business practices. That statute allows businesses to sue other businesses under certain circumstances for engaging in unfair business practices. The court acknowledged: “It might be possible for the plaintiff banks to state a different kind of claim under the [Illinois Consumer Fraud and Deceptive Business Practices Act] by alleging that Schnucks violated the Illinois Personal Information Protection Act by failing to disclose the breach for two weeks after learning of it.” In other words, the court allowed, at least hypothetically, that a bank could sue a retailer for the bank’s damages caused when the retailer violated Illinois’ data breach notification statute.

               However, in the Community Bank of Trenton case, the banks failed to explain precisely how Schnucks violated the data breach notification law. Therefore, the court ruled that the banks waived their claim when their lawyers “failed to explain to the district court whether and how Schnucks’ conduct fell under of one of the operative subsections of the [data breach] notice statute and not any of its exceptions.”
               This discussion, in other words, leaves open the possibility that violating a data breach notification requirement could, in states that cover unlawful business practices under similar statutes, open the door for liability for damages suffered by another business, if there is a causal connection between the violations and the business’s damages.

V. Conclusion

               With a rapidly changing legal landscape in 2018 relating to cybersecurity, businesses need to be fully prepared to respond to a data breach incident now more than ever. Recent legal and regulatory changes impose shorter deadlines with larger potential monetary penalties than existed in 2017 for late compliance. Even businesses that already have data breach incident response plans should review and revise them to take into account the significantly tougher legal environment. Businesses should likewise review their risk management programs relating to cybersecurity in light of these new legal and regulatory requirements.