The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP, CIPP/US is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

In PA Employers Have A Common Law Duty To Protect Employee Data

See Article Here

Pennsylvania has changed the data breach landscape! Please read the article. but they have essentially stated that if an employee is required to share personal information to an employer as a condition of employment, the employer has to use reasonable care to protect that data from possible exposure, including protecting against hackers. This change in PA is something that all employers should have anticipated, basically because breaches have become so commonplace, it is reasonable that an employer should protect against a breach, even from hackers, on internet-facing systems.

I have been waiting for the courts to catch up with technology, companies have gotten away with, for far too long, less than reasonable data security practices. If you are collecting personal information about me, and I have no choice but to share it with you, as with an employer, it is reasonable that you have a duty to protect that data. And NO I do not have to prove I suffered damages if you were not being reasonable in your efforts to protect my data!

This change is significant because there is no requirement that a person prove damages, it is based on the duty of the company. If a company is negligent in protecting data, there should be a cause of action that allows for the victims of a breach to sue, regardless of whether they can prove monetary damages. Based on the breach, my information is now lost and cannot be recovered, I have suffered a violation period.

We will see if more courts catch on and start to put the pressure on the keepers of the data to protect it.