Unfortunately, no industry or business is immune from data security events. Nearly every business collects some form of personal information, whether it involves your employees, customers, vendors, or all of the above. Threats to your company’s data may come from both external and internal sources. In light of the rapidly changing state, federal, and international laws, including imposition of monetary penalties, in the area of data breaches and cybersecurity, it is vitally important that your business take a proactive, rather than a reactive, approach to addressing these issues.
The cost of a data breach can be catastrophic to your business. For most organizations, it is not a matter of if you will be the victim of a data breach, but when. When that time comes, it is critical to have a comprehensive plan in place in order to respond quickly and, consequently, mitigate your company’s risk and comply with the appropriate laws. Outside legal counsel can assist your company in proactively developing a comprehensive documented and training plan. You will need an incident response plan that outlines who to contact and what to do in the event of a data breach. To help prevent attacks from the inside, it is important that you develop appropriate employee policies for use of IT, social media, computers, cell phones, USBs, and personal devices so that your company’s private information can remain secure. It is also advisable to utilize experts to conduct training for employees on cybersecurity issues, such as phishing and malware risks.
There are significant benefits to you, your company and your key employees when you use an experienced attorney in the unfortunate event of a data breach. When utilized to spearhead investigations, counsel can insulate corporate employees and maintain confidentiality. The attorney-client privilege protects communications between counsel and key corporate employees regarding the incident. Moreover, the work-product doctrine protects investigations directed by counsel in anticipation of litigation. For example, when Target was the victim of a data breach, a court found that documents generated in a forensic investigation ordered by outside counsel were protected, while similar documents obtained from the same forensic firm but ordered directly by the client were not protected.
If your company has purchased cyber insurance, it is important to notify your carrier immediately. Most carriers have attorneys, investigators, and cybersecurity forensic specialists on call to immediately respond to your needs. Depending on the scope of coverage purchased, most, if not all, of your losses may be covered.
Unfortunately, there is no uniform federal law related to data breaches. Each state and the District of Columbia has enacted its own laws, some stricter than others. Determining which state’s law applies to your situation is sometimes tricky. You will need to know the legal requirements regarding types of notifications necessary and how much time you have to communicate them. Similarly, if your company operates internationally, the General Data Protection Regulation (GDPR), enacted in the European Union in May 2018, requires strict compliance and includes significant monetary penalties.
I am often asked what types of legal pitfalls and mistakes I have seen with regard to data breaches that can guide a business owner in establishing best practices. The most prolific, egregious mistake companies make is thinking, ”this won’t happen to me” and then failing to proactively plan for attack. Another common pitfall is when business owners ignore red flags and fail to educate employees on the known warning signs of potential breaches such as phishing or unknown attachments. Another common mistake is spending too much time looking for the source of the breach or worrying about the cost of containment rather than taking quick and decisive steps to contain the breach. Working with an experienced team in advance of a cyberattack will help mitigate loss to you, your company, your employees, and your clients. When it comes to cybersecurity, a proactive approach is a must if you want to avoid potential devastation for your business.
