The Law Office of Hale Stewart, JD, LLM
832.330.4101
  • Home
  • About Us
  • Blog
  • Captive Questionnaire

Hale Stewart's Law Blog

Why a Cyber Breach At a Small Service Firms is an Extinction-Level Event, Part II

5/15/2020

 
 
   I previously argued that a cyber breach is an “extinction-level event” for small and medium-sized professional service firms.  That post contained a sequence of events concluding with litigation that, due to its potential size, would lead to bankruptcy.  This post starts an in-depth look at that sequence, beginning with an analysis of the stolen data and why its theft leads to a lawsuit. 

   Professional service firms utilize expertise gained from a four-year college education and in some cases post-graduate work.  Most of these professions require an initial licensing test; some mandate continuing education.  The core business of these firms is to utilize intellectual capital to manipulate and interpret client-provided data.

   The ISO cyber polity defines this data “personal information:”

… any information not available to the general public for any reason through which an individual may be identified including, but not limited to…
  1. Social Security number, driver’s license number, or state identification number
  2. Protected health information
  3. Financial account numbers
  4. Security codes, passwords, PINs associated with credit, debit, or charge card numbers which would permit access to financial accounts
  5. Any other nonpublic information as defined in “privacy regulations.” 

While points a, b, and d mostly apply to individuals, the definition is “not limited to” these items.  Non-specifically enumerated items are “not available to the public” – in other words, “confidential.”  This immediately brings to mind the legal and medical duty of confidentiality; financial information disclosed to accountants is not far behind.  Engineering, architects and actuarial firms also utilize proprietary data for their respective job functions.  These examples illustrate that it is almost impossible for any service company to argue it doesn’t utilize “personal information” as defined by the cyber policy.

   This explains why litigation is likely to result from a data breach; aggrieved clients will argue the unauthorized release has harmed their company, perhaps fatally.  They will allege that their data was protected by statute, provides their competitors with an edge in the marketplace, or is simply information that a reasonable person wouldn’t want in the public domain.  Clients will seek large damages and will be aggressive in litigation.  This is what will lead cause the firm’s “extinction” or, in the language of business, its bankruptcy. 
 
 

Comments are closed.

    Link From Our Previous Blog

    Our old blogger platform has a complete series on the OECD Model Treaty and Captive Insurance Case Law.   Please click on this link to go there.

    Archives

    June 2020
    May 2020
    May 2019
    February 2019
    January 2019
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    April 2016
    March 2016
    February 2016
    February 2014
    January 2014
    December 2013

    RSS Feed

    Categories

    All

Home
About
Contact
The Law Office of Hale Stewart
734A E. 29th Street
Houston, Texas 77009
832.330.4101
Halestewart@halestewartlaw.com
  • Home
  • About Us
  • Blog
  • Captive Questionnaire