Patrick Kellermann from LeClairRyan returns with a timely post on data security. His profile can be viewed here.
When people hear “data security” they think technical jargon: firewalls, passwords, encryption, yada, yada, yada. They leave it up to “Nick,” the company computer guy (SNL reference), and quickly turn to the day’s pressing business matters. Guess what, if your company handles individuals’ sensitive information in any way, you are in the business of data security. Ignoring data security not only puts your or your business partners’ customers’ information at risk, it subjects a company to regulatory or other litigation exposure like never before.
The Federal Trade Commission (“FTC”) is ramping up enforcement against companies that do not make data security a priority. Lapses in data security can be prosecuted under section 5 of the FTC Act as a deceptive practice where, for example, a privacy statement claimed the company maintained “physical, electronic and procedural safeguards that comply with federal regulations to guard non public personal information.” According to the FTC, the target company—a franchise car dealership—failed to conduct risk assessments, adopt policies, use “reasonable methods” to prevent and detect unauthorized access to personal information, train employees or employ proper response measures.
Even without any representations about a company’s data security practices, the FTC can and has gone after companies for unfair practices in data security under the FTC Act § 5. In fact, data security lends itself well to “unfair practices” charges because customers must provide protected information (e.g., financial data) to receive services/products but often have little or no control over how a company protects it.
Industry specific regulations also cover data security and may be a source of enforcement. Gramm-Leach-Bliley requires “financial institutions” to maintain data security programs. HIPAA’s Security Rule mandates protection of electronic personal health information and, following amendment by the HITECH Act, violations may be punished by a fine of up to $1.5 million per incident.
Let’s not forget about the explosion of civil litigation fueled by data security. The First Circuit recently blessed a cause of action under the UCC by a construction company against its bank for failing to use “commercially reasonable” data security practices. Also, dreaded class action litigation is to-be-expected following a data breach.
Data security is more than a one-step solution to delegate to “Nick.” A comprehensive approach comes from the top, is developed from the start and becomes part of the corporate culture. To protect your company, you must:
Assess Risk. Know what data you collect; how it’s collected; where it’s stored; who can access it; and above all, potential vulnerabilities. The assessment must bring to the table technical expertise as well as regulatory awareness.
Implement Data Security Policies and Procedures. The Policy must be based on the assessment. It should provide guidance on security procedures relative to the size and nature of your company and type of data at issue. An Incident Response Plan must be a featured section of any Policy.
Train Employees. A data security plan is only as strong as the employees who implement it.
Develop Third Party Controls. Conduct data security due diligence and contractually mandate compliance with applicable legal standards and industry best practices for contractors and service providers who handle customers’ data.
Promote your Privacy Statement. In a nutshell, say what you do, and do what you say.
A comprehensive data security program accomplishes a few things: it helps avoid a breach in the first place; provides a competitive business advantage; and mitigates regulatory and civil litigation exposure, even providing a defense or safe harbor in some cases.