If you have employees, it is imperative to recognize that many significant privacy and data breaches come from untrained employees who are the primary target of various schemes and malware contained on the Internet and otherwise.
Union, NJ (PRWEB) December 28, 2013
In light of the recent front page issues involving data breaches and data leakage – Edward Snowden, the NSA and the PRISM Program from the governmental side and Facebook's year-long data breach which exposed the information of over 6 million users on the private side – it seems like an appropriate time to once again emphasize that that it is crucial for all companies to proactively address cyber data security and privacy issues: the question is not if these issues are going to affect business but when and to what extent.
In recent months, there have been countless examples of large data breaches, both in the government sector and in the private sector. Because of the high profile nature of these breaches and the possible criminal implications associated therewith, many smaller business owners seem to think “Oh well, that will never happen to me.” This attitude is a mistake. These issues are not limited Fortune 500 companies. Cyber risk is an issue for small businesses. In fact, studies have shown that hackers specifically target smaller businesses because they have less resources to defend against cyber-attacks.
All businesses retain information which, if breached or inadvertently disclosed, could cause significant damage to that company, both in terms of pure financial implication and loss of goodwill in the marketplace. Companies of all sizes retain records in both paper and electronic form which often contain sensitive personal information that would allow someone to trace an individual’s identity, such as their Social Security number, date and place of birth, maiden name, etc. This information is broadly referred to as Personally Identifiable Information (“PII”) and is given significant protection under the law. Beyond this broad category, there are a variety of other subsets within PII which are often subject to specific, more stringent rules related to protection and disclosure throughout the business and legal spectrums. For example, Protected Health Information (“PHI”) – any information about health status, provision of health care, or payment for health care that can be linked to a specific individual – is vigorously protected under both state and federal law.
The purpose of this article is not to scare businesses, but instead inform them before an incident so that they too may be at risk with respect to these issues, and that there are options available regarding data breach prevention and remediation. As with anything else, the proper way to manage a large volume of information is through proper proactive (as opposed to reactive) controls. These controls include consultation with appropriate advisors including lawyers with expertise handling privacy, e-commerce, FTC regulatory complaints, litigation and intellectual property related issues as well as insurance brokers who can assist with an evaluation of whether or not a company should purchase insurance policies to cover the fallout from data breaches, cyber-liability or other related issues.
Data breaches are caused by a variety of sources including cyber-crime/hacking, system error and, shockingly enough, human error. There are countless recent examples related to an employee losing a computer or leaving a thumb drive with customer information laying around for public consumption. If a company has employees, it is imperative to recognize that many significant breaches come from uneducated employees who are the primary target of various schemes and malware contained on the Internet and otherwise. Even more troubling, though many companies very often have privacy policies and guidelines in place – which if not should be priority number one in response to this article – response also becomes an issue. Employees inadvertently cause breaches and there is insufficient protection or protocols in place to address these incidents.
The fallout from these breaches can be many tiered and cause substantial damage from both a financial and good will perspective. First, if the information is trade secrets or sensitive business information, it could have a competitive impact on the business. Additionally, if PII is compromised, a company may have to have to put in place credit monitoring services and other avenues for each record breach to help mitigate the damage caused by any disclosure of PII as well as restore customer confidence in the business. It is often prudent to understand how data breach insurance can help healthcare organizations mitigate HIPAA fines prior to an incident. Moreover, with respect to cybercrime, a Distributed Denial of Service Attack (“DDoS”) attack can take down a company website and affect the ability to run a business effectively on a going forward basis -- especially if the e-commerce platform is the lifeblood of the operation. In order to give a rough estimate of data breach costs, in the “2013 Cost of Data Breach: Global Analysis”, the Ponemon Institute stated that the average cost of a data breach is $136 per record globally and $188 per record in the U.S.
As briefly intimated above, the best way to deal with data protection is on a proactive basis. Before an incident happens, a company should consult with tailored team of advisors, including data privacy attorneys like OlenderFeldman LLP, to help develop reasonable data security policies and procedures which include the monitoring and auditing of the policies on the front end as well as the encryption of PII. After these consultations, companies should take great care to educate and train employees about the policies so as to make them aware of the issues before they arise.
Of course, however comprehensive a company's protection may be on the front end, breaches can still occur. Post breach, there are two factors that will help a company address issues most quickly and efficiently. First, because a company was proactive and hired consultants to address these matters at the outset, the security plan should help carry it through the difficult times. To ensure effectiveness, this program should be regularly monitored and tested within an organization and each company should designate employee contacts within the organization to implement and effectuate the security program.
Second, there are a burgeoning number of insurance products designed to protect companies in the event of a breach and, for that matter, generally protect the public face of companies as the inevitable cyber expansion continues. There are a variety of coverages available which include coverage for loss of assets, business interruption, cybercrime/terrorism, D & O and privacy liability insurance and social media coverage, among others. As each business is different, it is crucial for each company to consult the right advisor such as Cyber Data Risk Managers LLC in order to be property informed about this vital piece of protection in the event of a data breach.
Data Breaches are here to stay and as each company’s cyber presence increases, it is crucial to proactively plan to address the same as opposed to reactively deal with them in the back end which could significantly harm a company's business. The involvement of trusted counselors like OlenderFeldman LLP and Cyber Data Risk Manager LLC is crucial to the proper protection and ultimate success of businesses in the event of an unfortunate data breach.
If you have any questions about the legal or practical implication of these issues, please contact Christian Jensen, Esq. (cjensen@olenderfeldman.com) and Aaron Messing, Esq., CIPP (amessing@olenderfeldman.com) of OlenderFeldman LLP at (908)964-2485. Additionally, to have a fully informed discussion about the full range of cyber insurance or IP related products, please contact Christine Marciano, CIPP (Christine@dataprivacyinsurance.com) of Cyber Data Risk Managers LLC at 855-CUT-RISK.