Legal experts are warning that private companies could find themselves in an actionable position in the event of a data breach. That’s especially true if those companies have not taken the proper steps to protect sensitive information.
The warning comes after hackers gained illicit access to a Verkanda maintenance server. Verkanda is a surveillance startup that has already provided cameras for more than 4,200 clients, some of which come outfitted with facial recognition capabilities.
The problem, according to critics, is that Verkanda’s cybersecurity practices didn’t keep up with its rapid pace of expansion. The hackers were able to gain access to the server with stolen credentials, and there were no other layers in place to guard against intrusion.
“What has me concerned here is this really doesn’t feel like a reasonable level of security for the risk,” said ioXt Alliance CTO Brad Ree. “It shows that lack of maturity and the danger of scale.”
In that regard, Ree suggested that Verkanda may not have met its legal obligation to protect people’s personal information, which could it in turn give people grounds for a potential lawsuit. Critics noted that Verkanda may have violated wiretapping laws if the video footage includes audio, or health privacy laws if the cameras were installed in a medical facility.
Such lawsuits are more likely if the individuals in the leaked footage can be identified, as is the case with facial recognition cameras. Companies could face more liability if the cameras are hidden and people do not know they are being recorded, or if they are deployed in a locker room, a bathroom, or some other place that has a reasonable expectation of privacy. There are also a growing number of data protection laws like the California Consumer Privacy Act, and laws that cover IoT technologies. Such laws have become increasingly common in recent years, and require providers to put certain safeguards in place before selling technology to the public.
While the law tends to lag behind the pace of innovation, the new Internet of Things Cybersecurity Improvement Act creates clear security standards for federal agencies, which could force private companies to update their practices to sell to the government. The legal experts warned that clients could be sued for installing cameras if their provider gets hacked, though they could presumably pass some of those damages back onto the provider depending on the terms of their contract. As it stands, US organizations have lost upwards of $1 trillion due to security breaches on an annual basis.
Source: Bloomberg Law
March 16, 2021 – by Eric Weiss