Best Practices for Avoiding Data Breach Liability
Cyber attacks and data breaches are quite often and in the past several years, Wyndham Hotels, LinkedIn, Yahoo, but also Google have been the victims of various data breaches. Data breaches have become very common and this year Yahoo Japan has announced its users that their systems have been breached and hackers were able to compromise about twenty two million user IDs. LivingSocial has also announced in April that hackers have breached their servers and more than fifty million customers had their data stolen. These incidents are very dangerous, especially for the smaller companies and that’s because only one of them can permanently tarnish their reputation and put them out of business. What’s worse is that there are also many cases where companies don’t even know that their systems have been breached, resulting in a lot of their trade secrets and other sensitive information being stolen until the breach is detected.
If the breach involves stolen or lost personal information, then it’s only a matter of time until law enforcement steps in, including regulators who will severely fine the companies resulting in massive financial losses. Customers can also sue the company, too, and in some cases the company can actually go out of business due to the massive fines and amounts of money they have to pay as a result of the lawsuits filed against them.
In recent years, the security and privacy regulatory scheme has become a lot more complex, making it very difficult for a lot of companies to actually comply with it. This is especially the case for highly regulated industries, such as the retail industry and the healthcare industry. In fact, the United States DOH’s and the HSOCR’s recent HIPAA audit pilot program uncovered the fact that there are plenty of healthcare companies that have no idea of applicable requirements. HHS received about seventy eighty thousand breach reports from September ’09 to March ’13 and imposed approximately fifteen million dollars in HIPAA non-compliance fines from ’08 to ’12.
Data breach prevention
There are many things that companies can do in order to reduce the risk of becoming a victim of hackers, including:
1. Identify all the sensitive data handled by the storage locations, the company’s custodians and the company itself. If a company is to effectively guard the sensitive information it handles on a daily basis, it needs to conduct an inventory of that specific data.
2.Comply with federal and state regulatory requirements. Based on the type of data your company handles, there’s a good chance that it can be subject to a wide range of federal and state laws, including state data security regulations, the Gramm Leach Bliley Act, and HIPAA. In order to ensure you’re in compliance with these laws, you need to consult with legal counsel.
3.Review (and update as needed) the company’s written information security policies. This is a practice that all companies should consider and it’s actually a requirement under some state and federal laws.
4.Maintain and effectively implement physical and computer security measures. Computer security measures are essential for improving security, but physical security measures such as shredders, locked cabinets and the likes also play a very important role in increasing data security. Depending on where your business is located, your state may require that you encrypt personal information transmitted wirelessly or stored on portable devices.
5.Effectively train employees and implement best practices. It’s not only complex cyber attacks that compromise sensitive data, but also employee negligence. For instance, the government applied a one million dollar fine in ’11 to the Massachusetts General Hospital after documents containing sensitive information were forgotten by an employee on the subway. Periodic training sessions should also be conducted to make sure that employees comply with and are fully aware of the company’s data security policies. Vendor compliance is also a must. Therefore, as a company, you need to take great care when retaining 3rd party business associates or providers that you may eventually share sensitive information with. Under state and federal law, companies require their vendors to take specific security measures to protect data shared with them.
6.Periodic lawyer direct data security assessments should also be conducted periodically. This is a good way to ensure applicable laws are respected and also detect vulnerabilities.
7.Get cyber liability insurance. Traditional insurance policies may cover businesses in a wide range of situations, but when it comes to data breaches, they usually offer little or no coverage at all. In order to avoid the high costs associated with data breaches, it’s highly recommended that you buy cyber liability insurance. This policy will help cover the costs of defending lawsuits, regulatory compliance, but also credit monitoring and notification for affected parties, forensic investigations and payment of any resulting settlements or judgments.
How to respond to data breaches
The aforementioned steps are necessary if you want to minimize the risk of becoming a cyber attack victim, but even if you consider them you won’t be one hundred percent safe from one such attack. If your systems are breached, then you have to comply with data breach notification laws. These laws have been enacted in forty six states, including the District of Columbia. These laws usually vary based on jurisdiction, but as a business, you need to inform the clients whose personal data was compromise by the security breach as soon as possible. There are also states where notification deadlines are even stricter. For instance, Florida and Vermont require companies to notify their clients in maximum forty five days, while CA has a deadline of just 5 days for nursing facilities and hospitals.
Based on the HITECH Acts breach notification rules at a federal level, healthcare organizations need to report data breaches involving at least five hundred individuals to the affected parties, including the Department of Health and Human Services and media outlets serving a jurisdiction or state within sixty days. If the breach involves less than five hundred people, they only need to be reported to the department on a yearly basis.
For many companies, data breaches are very dangerous and management usually has a very hard time determining how the breach happened, what actually happened and the solutions they have to come up with to prevent such breaches from occurring in the future and mitigate the damages associated with them.
As a company, there are certain steps you can take in order to reduce the potential liability of data breaches, as following:
Having an incident response team and plan is highly recommended. The plan should actually be prepared prior to the breach and needs to identify the team members, detail the responsibility of each member, but also include breach response measures to be taken and involve external professionals as soon as possible.
When you face a data breach incident, acting fast is very important. If you don’t, then this could lead to increased regulatory liability and scrutiny. Get in touch with lawyers. In general, data breaches are very complex and can affect a lot of people, requiring compliance with a wide range of breach notification statutes. In order to guide breach response, you should consult outside counsel. If the breach is complex, then you should also think about involving an external forensics investigation service.
It’s very important to try as much as possible to preserve corporate reputation. Since these breaches can make headlines, it’s very important that you try to preserve your reputation with the general public and the affected parties. In this regard, having an engaging public relations firm to handle the situation is highly recommended.
Appease regulators, but also minimize the risk of potential lawsuits and consumer identity theft
Businesses in the digital age are continuously exposed to the risk of cyber attacks. Since some of the largest companies in the world suffer data breaches and federal and state regulators becoming increasingly strict about data security, a lot of businesses are understandably worried.
If you’d like to reduce the risk of becoming the victim of a data breach, you need to implement best practices as soon as possible. Self protection and prevention are vital elements to minimize the impact and threat of cyber attacks and data breaches.