For businesses, technology has greatly expanded opportunity … and risk. Purchases can be made online from across the globe. Vital personal information is stored digitally by virtually every enterprise. Medical information can be exchanged by just pressing send.
And all of it can be exposed in a data breach. There isn’t a business, non-profit, institution or civic organization today that can avoid the reality that they are in the data management business and all the risks that come with it.
The threat of data becoming compromised is such that a whole new market has been created for the insurance industry. “Cyber policies” can afford some protection against losses; however, companies should always be aware that not all cyber policies cover the risks a company faces. Cyber insurance policies should cover the costs associated with the data breach, including engaging legal counsel, hiring investigators, providing credit monitoring for customers, and enlisting public relations experts to facilitate communications with all parties served by the company.
Companies can also proactively protect themselves in other ways. First and foremost, they should develop policies and educate employees on those policies. This includes establishing, publicizing and encouraging internal reporting mechanisms. Companies can institute electronic security policies that identify who should receive the report of a breach and establish the levels of discipline up to and including termination if an employee misuses data or takes part in a data breach.
Firms should consider creating a data management team with clear responsibilities and a thorough understanding of the types of data collected, processed and developed. They should also understand legal responsibilities and regulatory requirements. There are now 46 states with data breach laws and none of them are uniform. A university discovering its students’ data compromised can face scrutiny from every state in which its students reside. Meanwhile, the federal government offers protections in the Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act.
Businesses should also develop a risk assessment and mitigation plan. This includes reviewing vendor contracts to find weak links that could expose data. Even if a company shuns the exchange of data online, they can be held liable for data shared with vendors who do expose that data, however unintentionally, in a breach. A company that couriers its billing records to a bank needs assurances that the courier and the bank have policies in place to protect the data.
Companies should review the policies of their vendors. If the vendors do not have an electronic security policy that addresses employee background screening and data management, then your company should write one for them.
In addition, companies should also consider engaging a third party audit to review policies, compliance efforts and technical infrastructure. This is often done after a breach. It’s best to find any holes before they are compromised.
If a data breach does occur, businesses must not only discover its source, mitigate impact and comply with appropriate state and federal regulations, but also take immediate action to recover from the breach. That means engaging legal counsel to provide protection from potential civil litigation and the discovery process through the attorney-client privilege.
This is especially important because third party reports from IT forensic, accounting or crisis communications firms, as well as internal company communications, may be discoverable in civil litigation. If outside counsel is engaged, these communications may be protected under the attorney-client privilege.
Obviously, technology is part of data breach avoidance including data encryption, security and monitoring software, password protection and the like. But the human element and lack of meaningful policies and preparation can create gaping holes that put data at risk. The best advice is thoroughly evaluating your data management risks and considering a cyber policy, developing the right team and policies to manage your data, ensuring vendors are sufficiently protecting information you share with them and educating all employees about risks and responsibilities.
Technology is a wonderful business tool, but it carries evolving risks that can’t be relegated to a back burner of inaction.
Vanessa Robinson Keith is a member of the data breach practice group and the litigation practice group of Greensfelder, Hemker & Gale, P.C.