The Oklahoma Bar Journal September 2023

Since many data privacy laws and cybersecurity laws do not pro vide private rights of action, cyber litigation is usually pursued under traditional theories of liability, such as negligence, and can be ripe for class certification. Similarly, traditional defenses, like standing, often serve as the basis for dis missal of private cyber claims. 36 This is because it can often be hard to determine whether the breach actually resulted in harm. Important pre-litigation atten tion should be paid to contrac tual agreements that contain cyber-related provisions. Standard provisions found in data sharing agreements (and other cyber- related agreements) include indem nification requirements, cyber insurance coverage, compliance with state and/or federal laws and ownership/usage rights. While these concepts may be generally familiar, the technical side of cyber law is where the problems creep in. For example, suppose you have a client who has a data privacy policy that states the data it holds is kept in an “anonymized” fash ion. The term “anonymized” is a technical term of art that means the data being held cannot, under any circumstances, be linked back to the original provider of the data. However, given the amount of data that is available through the internet and/or data brokers, it can often be very easy to relink an individual’s data through the use of multiple data sets. As a result, it is extremely difficult for many com panies to claim that they use only “anonymized” data, as opposed to “pseudonymized” data. But it is just this sort of technical difference that could result in the FTC coming down on your client. 37

Second, simply because a com puter has been “hacked” does not necessarily mean there has been a breach. For example, Oklahoma’s data breach notification statutes state that a breach occurs if there is unauthorized access to “ unencrypted and unredacted ” data. 32 Thus, if the data is encrypted and redacted, even though it has been extracted, there is no “breach” for the pur poses of Oklahoma’s reporting statute. Therefore, understanding a particular state or federal law’s defi nition of “breach” is critical because it may trigger certain reporting requirements and other obligations. Finally, cyberattacks come in a variety of forms and accomplish different goals. 33 However, com mon approaches and attacks can be linked to various organizations. As a result, certain cyberattacks may require you to work with a computer forensics team and/ or the FBI. Working with expe rienced professionals in these areas can help to ensure that your client does not pay a ransomware ransom to an organization that will not actually send the decryp tion key, thereby resulting in more damage to your client. LOOKOUT NO. 6: DIRECT LEGAL LIABILITIES Failure to abide by state data privacy laws or federal privacy laws (such as HIPAA) can result in regulatory action. 34 But even if your client is exempt from these laws because they operate in states without data privacy laws and are unregulated by federal law, simply using policies that do not accurately reflect the company’s collection, protection and use of data can also result in actions by the Federal Trade Commission. 35

THE VIEW FROM THE TOP Hopefully, these lookouts show the interrelated nature of corporate liability in relation to cyber events, ranging from HR law to simple negligence claims for a data breach. Further, one should be able to see how each of these areas is interre lated with the other. Data privacy minimizes damages from a cyberse curity breach, and with good cyber insurance, many of the out-of-pocket costs can be recouped. But a com pany cannot get good cyber insur ance without good data privacy and cybersecurity protocols in place. Hacking is becoming democra tized. For example, just as customers can buy software as a service (SaaS), where you simply pay a monthly subscription fee for software (versus installing it with a disk), people can now buy ransomware as a service (RaaS) off the dark web, meaning even people with no technical skills can now become hackers through the use of RaaS. The flattening of the hacker realm means more hacks are coming. It is, therefore, more critical than ever that companies get ahead of the curve now. Otherwise, technical debt 38 and administrative inertia will make it more difficult to properly imple ment cybersecurity and data privacy protocols after the fact. The time to act is not tomorrow, it’s today.

ABOUT THE AUTHOR

Collin R. Walke leads Hall Estill’s Cybersecurity and Data Privacy Practice Group. He earned his J.D., magma cum laude ,

from the OCU School of Law and is a graduate of Harvard’s Business Analytics program, where he was nominated for distinction in programming and data systems.

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.

SEPTEMBER 2023 | 11

THE OKLAHOMA BAR JOURNAL