Senior Communications Manager
Kirk Nahra Discusses Cybersecurity Act’s Focus on Liability Protection and Recent Novel Data Breach Lawsuit
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in two articles in Cybersecurity Law & Practice published on January 22, focusing respectively on liability concerns addressed in a new cybersecurity law and the novel approach of a recent data breach suit.
On December 18 President Obama signed into law the Cybersecurity Act of 2015, which aims to encourage the voluntary sharing of cybersecurity threat information by organizations, in part by reducing concerns about liability, according to the article. “My general sense is that fear of liability hasn’t been a primary driver in the past,” said Mr. Nahra. “Instead, companies have been more concerned about disclosing problems that have affected them, and this kind of liability protection won’t really address that; for example, if you share information about a successful hacking attack at your company that resulted in wrongful access to personal data, this won’t mean that you can’t be sued for the data breach—it just means that the communication about the breach itself doesn’t create new liability. So, while the liability protections will prevent a disincentive from sharing, I don’t think it eliminates the more important/relevant risks from sharing.”
In a related article, Mr. Nahra discussed a recent data breach lawsuit that U.S. casino operator Affinity Gaming filed against cybersecurity company Trustwave. The article noted that Affinity has alleged that Trustwave failed to contain a data breach it had been hired to remedy. “The details of this case raise issues about vendor representations and conclusions about security breaches,” said Mr. Nahra. “This kind of case may lead to security vendors hedging their conclusions even more, which will make it harder for affected companies to reach a definitive resolution.”