Cyber Security: Forewarned is Fair-Warned

by Gray Reed & McGraw

When Wei Wong, owner of Sushi Mushi, a popular Japanese food bistro in Texas, installed a phone add-on to take credit and debit card payments straight from his employees’ phones, his revenues skyrocketed. Yesterday the Feds told him that his customers’ credit and debit card numbers were posted for sale on an underground website. Malware planted in his employees’ point-of-sale telephone systems snared over 10,000 card numbers, encrypted PINs, and CVV codes. Every hacker in the Ukraine now wants their own missile launch system. Is Sushi Mushi to blame?

Notice Required

Yes, Texas law requires Wei Wong to notify each of the 10,000 customers because their “sensitive personal information” was, or is reasonably believed to have been acquired by an unauthorized user. A May 2013 Cost of Data Breach Study sponsored by Symantec reported that the average United States data breach cost per record was $188. A 2012 Verizon Risk Team study shows that in 2011, over 174 million records were reported breached. The average cost to an organization resulting from a data breach incident is now reported to be upwards of $6.65 million.

When? What if Not?  

Sushi Mushi is required to provide notice “as quickly as possible,” with exceptions made for criminal investigations (which must be documented). If no notice is issued, Wei Wong risks statutory penalties of $100 per individual per day for any failed or delayed notification, not to exceed $250,000 for a single breach. But these notice costs plus forensic investigation, credit monitoring, public relations efforts, and lawsuits are nothing compared to the biggest possible cost – the company’s reputation.

Who’s to Worry about Cyber Theft?

Most businesses that maintain a computer network with “sensitive personal information” [an individual's first name initial and last name with social security number, driver's license or government-issued identification number; or account number or credit or debit card information with security code]. Also, almost any health care-related business.[1]

Could It Be Worse?

If Sushi Mushi’s customers can get a class certified, Wei Wong’s liability will almost certainly include mandatory payment of identity theft and credit monitoring services, imposed auditing requirements, injunctions to cease and desist improper retention of customer data, reimbursement of funds stolen and costs expended in issuing new cards, disgorgement of Sushi Mushi profits during the time of the breach, and forced adoption of certain security measures.

Tilting the Scales in Your Favor

Consider Insurance. Many businesses purchase Commercial General Liability policies. However, it is increasingly likely that a general CGL policy will not cover a cyber-security breach; more insurance carriers are excluding cyber security breaches from their CGL policies. Check out purchasing cybersecurity insurance going forward to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. 

Steps to Protect Your Company –

  • Identify all sensitive data handled by your company.
  • Make sure it is secure. Encryption mitigates the Texas statutory liability and penalties.
  • Implement and maintain security systems – both computer system security measures and physical. Passwords, encryption, firewalls, anti-virus software are important; physical security measures are also important.
  • Lock sensitive data and dispose of it by making sure it is properly shredded. Simple employee negligence, such as losing a lap top or failing to shred personal data before disposing of it in the trash is a frequent culprit. Confirm that all employee’s know the protocol to keep customer data safe.
  • Implement a response plan to deal with a breach after it occurs. A plan in place will help reduce your risk of incurring fines as well as cut costs for notifying.

If you are hacked?

  • Detection, confirmation and quick remediation are key.  If you are compromised, know where and when bad things are happening – real compromises, not false alarms – so they can be shut down.  As Verizon’s 2014 Data Breach Investigations Report shows, speed matters, both in detection and dwell time (time between discovery and remediation). After mere minutes critical data can be exfiltrated from a network.
  • Quick remediation is critical, but so is insight. With so many states pushing to codify stringent breach notification      requirements, waiting days or weeks to let customers know what may have happened with their data simply won’t cut it going forward.

[1] The definition under the Texas statute also includes information regarding an individual’s physical or mental health information; the provision of health care to the individual; or the payment for the provision of health care to the individual;4 this information is referred to as “protected health information” or “PHI” in the health care industry, and is also subject to the privacy and security restrictions of the federal privacy statute known as HIPAA. Texas entities subject to HIPAA will have to determine whether they have breach reporting obligations under HIPAA, the Texas statute, or both, since the standards and requirements of HIPAA and the Texas statute are different.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Gray Reed & McGraw | Attorney Advertising

Written by:

Gray Reed & McGraw

Gray Reed & McGraw on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.