Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
While taxes and death are currently the world’s only guarantees, we are not long from days in which being affected by cyber attacks will join that formidable group. While data breaches are inevitable, there is good news. According to Online Trust Alliance’s 2014 Data Protection & Breach Readiness Guide, nearly 90 percent of the breaches in 2013—which exposed a total of 823 million records—were preventable. Courts are routinely making it clear that it is the responsibility of the companies that hold personal information, not solely the individual owner of it, to proactively protect the data. A company must take steps to protect itself, and its customers to, at a minimum, mitigate the damage of a potential breach. Currently, 48 states and the federal government require companies to take steps to prevent cyber attacks. Abiding by these regulations often helps a company protect itself, and its directors, from potential lawsuits
Pertaining to data breaches, the news media often does society a disservice. National newspapers are littered with the breaches of Home Depot, JP Morgan Chase, Target, and P.F. Chang’s. But rare is the news story that tells of the small “mom and pop” company being hacked, or the tech start-up that loses its users’ personal information. These stories may not make the news because, individually, they do not have a large enough effect on society. But they do have a crippling effect on the businesses which are impacted.
Current estimates suggest Target will face nearly $4 billion in liability and costs from its breach. Even assuming Target is one-hundred times bigger than a start-up that is breached, one can imagine the devastating impact of the liabilities. Thus, it’s clear that when the other option is losing everything, the cost of proactively protecting your company is well worth it.
Moreover, the perception that only large companies are targets is false. In fact, 44% of small businesses have already reported being attacked. The average costs to address the attack, including notifying effected customers, have averaged $8,700. In 2012 alone, cyber-attacks on small businesses rose 300%.
So why, even though they hold less data, are small businesses attacked? The answer, it seems, is that hackers know that small businesses are particularly vulnerable because owners believe they cannot afford services to proactively protect themselves. However, there is no question that a business cannot afford a sophisticated breach. The truth is, while owners believe they cannot afford to be proactive, they truly cannot afford to wait. Therefore it’s clear that the time and money small businesses put towards protecting their data is not only well spent, but also well advised.
At a minimum, any start-up company should have a data-protection plan with two components:
- Protection
- Response/Notifications
These components should be managed by a Data Protection and Breach Response team, made up of company leadership, employee(s), an attorney, and an IT professional.
Protection
To employ a successful data-protection plan, a company must intimately know the data it maintains. This involves advanced storage and training, as well as data mapping, maintenance, and destruction. Knowing customers’ location is also integral to understanding which state laws are applicable.
Companies can only protect information after understanding the storage of data under its custody. Any protection should transcend encryption: layered safeguards, frequent “housekeeping,” detailed logs, and data audits which can be audited by IT and legal professionals, are all necessary. Moreover, employees must be trained in company protocol; thus, there should be employment agreements and annual risk assessments of a company’s network. Such work often involves legal and technical assistance.
Response
When systems are breached, having a pre-organized Data Protection and Breach Response team allows for immediate and effective response. The team’s leadership, employee-members, IT professionals, and attorneys should meet frequently. This will allow the team to be able to immediately recognize breach-triggering events and launch pre-planned response plans. Poorly prepared companies often do not realize they have been breached until it is too late to stop the breach or send the customers useful alerts. Legal professionals who know how to comply with applicable state response and notification laws can start a “notification tree” to notify the necessary government entities, insurers, and effected individuals.
A company that is ill-prepared to respond can be subject to several liability and negligence claims. Timing and substance of notifications are regulated by state laws—thus, the company that starts looking for a support team after a breach, is prime for a lawsuit.
Conclusion
A company negligent in its maintenance and protection of data, or in its response to a breach, may go from being viewed as the victim to being considered complicit in the attack. Therefore, while the up-front cost may act as an initial deterrent to proactively protecting your company, the long-term benefits are unquantifiable. As such, while following these steps does not provide a fool-proof safeguard to prevent breaches, it is a recipe to protect your company, directors, and officers from devastating repercussions.
