Stories of massive data breaches have filled recent headlines. Uber recently confirmed that hackers had stolen more than 57 million driver and customer accounts and that the company had paid a $100,000 ransom to the hackers. Washington State and the City of Chicago are pursing multi-million dollar consumer protection lawsuits against Uber, dozens of private lawsuits have already been filed and a criminal investigation may be in the works, given that a number of high-ranking officers at Uber were allegedly aware of the breach for months before the company disclosed it to the public.
Remarkably, the breach at Uber pales in size and seriousness to the recent high-profile breaches at Yahoo and Equifax. Yahoo announced in 2016 that one billion of its accounts had been compromised. Equifax confirmed in September 2017 that sensitive information, including Social Security numbers and driver’s license numbers, for 143 million American consumers had been compromised.
Although massive breaches at large companies garner the most media attention, data security is critical for companies of all sizes. Indeed, given constant attacks and severe potential civil and criminal penalties looming for companies and their employees, the current climate requires that today’s businesses understand how to protect data and how to respond in the event of a breach. Every company should have an Information Security Plan (ISP) that sets forth, in writing, it policies and procedures regarding privacy and data, and an Incident Response Plan that establishes clear directives about how to respond to a data breach.
Below are five questions every company should ask in order to determine the current status of its data security protections and its plan to remedy and report any breaches of company data.
Do you have a privacy officer and a security officer? Every company should designate a privacy officer and security officer so it is clear who is responsible for monitoring and enforcing data security. In addition to ensuring accountability, giving individuals those specific roles also grants them the formal power to enforce company policies.
Have you done a thorough inventory of company’s information and its life cycle? Data security is industry and company specific. Each company must undertake an honest, and potentially critical, assessment of its information assets, how those assets are utilized, and its current processes and policies. This should include both electronic and hard copy assets. For example, a company should consider what information is collected, how it is gathered, and what happens to it after it is utilized. It should also include an analysis for where the information is stored and who has access to it. Thereafter, it should assess whether it truly needs that information, and when it can be discarded. Using outside counsel or a third-party consultant may help keep this assessment objective.
Do you have a backup plan? Preparation for a data breach can decrease the costs of managing a data compromise. If your office is hit with a data breach or ransomware, do you have a backup plan? Is your electronic data regularly backed up and are the backup data files stored securely offsite? Do you have backup paper records? Due to technological advances, creating a back-up plan is often less expensive and intensive than many businesses might believe.
Have you created a culture of privacy? No ISP will be truly effective unless a company instills the belief in its employees that privacy is a core value of the organization. There must be buy-in from the C-suite. Although the control and movement of information is often determined by staff or IT advisors, it is important that top levels of the organization create the expectation that employees take privacy and security issues seriously.
Have you reviewed your vendor contracts? Many businesses enter into third-party contracts with vendors to help their operations run smoothly. However, this often creates vulnerabilities. Indeed, the Uber breach occurred on a third-party server. When a company delegates tasks to third parties beyond its control, a company must review its contracts with these entities to ensure that each vendor’s security procedures are consistent with its ISP. In these instances, it is often helpful to have legal counsel review these contracts.
If a data breach does occur, a company must have an effective Incident Response Plan that will identify the scope of the breach, limit the breach to the extent possible and effectively protect customers. In responding to a breach, companies must navigate a complex minefield of federal and state regulations that impose administrative, civil and even criminal penalties. However, a common element of most regulatory requirements is prompt notification of customers. Companies must also be prepared to take available steps to remedy the situation to the extent possible.
The importance of having an effective ISP and Incident Response Plan cannot be overstated. In some cases, it is not just good practice, but it is required by law. Additionally, customers have come to expect good cyber-hygiene from the companies with whom they do business. If you need help determining which laws your company is subject to, and what those laws require, contact an experienced cybersecurity lawyer, who can help you navigate this critical process.
Elaina M. Maragakis, CIPP-US, is a shareholder and co-chair of Ray Quinney & Nebeker’s Cybersecurity and Privacy practice.
Matthew R. Lewis is a shareholder and co-chair of RQ&N’s White Collar, Corporate Compliance and Government Relations section.