We are all familiar with Benjamin Franklin's famous quote about death and taxes. Centuries later, today's high tech world faces a third certainty – data security breaches. The data breaches involving Bank of America, Target, and Sony grabbed headlines, but data security breaches affect businesses of all sizes and across all industries. Data in any form has value to someone, and no business is immune from a potential breach. Hackers compromise nearly 30,000 websites each day. A majority of these breaches result from weaknesses in our collective cyber behavior rather than through nefarious means. According to the FBI, 90% of cyber-attacks involve phishing email scams. Such scams only succeed if an individual unwittingly succumbs to the enticements of the scam. Cybersecurity is the responsibility of all employees, not just IT. Through the infusion of a culture of cybersecurity, businesses can position themselves to respond and adapt to the perils presented by our technology-centric world.
Preparing For A Data Breach
Prepare your business to respond to the unpreventable cyber-attack by minimizing your internal and external risks through a cybersecurity framework encompassing all aspects of the company. A successful cybersecurity framework starts at the top with management and includes all employees. The overwhelming majority of data breaches are the result of employee behavior; therefore, a rigorous policy backed with regular training is a company's first line of defense. A cybersecurity committee or officer should be designated and given the responsibility for adopting, implementing, and maintaining policies. The committee or officer must also ensure that all employees follow the policies.
A robust cybersecurity policy starts by identifying what data the business possesses and the sensitivity of that data. Examples of sensitive data may include personal identifying information regarding individuals (social security numbers or birth dates), financial information, or proprietary information essential to business operations.
Once the data assessment is complete, the next step is to identify where the data is stored. Data is typically located on computers, servers, smartphones, tablets, the ever-elusive "cloud," and on similar platforms controlled by third party vendors or service providers. Once it knows where its data is stored, a business must determine who has access to the data. Particular attention should be paid to knowing which employees, vendors, or service providers have access to the data. Understanding the what, where, and who of a business's data provides the outline necessary to educate employees and work towards the creation of a culture of cybersecurity.
Employee education and training is the first line of defense to a data breach. Employees should be trained in reasonable security measures to protect a business's data. Such training may include teaching employees about the proper selection and storage of passwords as well as keeping employees abreast of the latest malware and phishing scams.
A benefit of the cyber age is the ability for employees to work remotely. If permitted to do so, employees working remotely should be required to access data via a VPN (virtual private network). Similarly, employees should be trained with respect to the removal of data from the workplace, with reasonable limitations in place to protect data. A classic example of "taking work home" is the individual who leaves a cell phone or laptop, with unencrypted data, in the back seat of a taxicab.
Inevitably, whether intentional or unintentional, breaches occur. Employees must be trained to report any threat to data security, even something as simple as the loss of a personal phone. All data breaches do not rise to headline levels; however, breaches require a response, the key to which is timely reporting. If a breach is reported, the business must investigate.
Just as the tools used to access data evolve, so too must the efforts to combat the risks. It is no longer sufficient to have stagnant policies. A healthy cybersecurity framework will be fluid and will evolve as technology, data, and risks evolve. Routine audits of systems, policies, procedures, and employee compliance should be regularly conducted.
Responding To A Data Breach
Preparation is key when responding to a data breach. Organizing a response in the aftermath of a data breach is the most inopportune time and may lead to unnecessary delays, an ineffective response, and unnecessary complications. Every business should have a "response team" in place – prior to a breach – to address data breach issues at a moment's notice. At a minimum, the response team should include a representative from management, IT, human resources, media relations (internal or external), and cybersecurity compliance. Additionally, outside counsel and a forensic consultant should be key members of the response team. If the business has cybersecurity insurance, a carrier representative should also be included. Ideally, one member of the team will be designated to lead the response and serve as the quarterback of the investigation. Outside counsel typically assumes this role due to the legal ramifications that may flow from a data breach and need to protect privileged communications.
The timely documentation and preservation of information is of the utmost importance in a response. Once a data breach is detected, steps should be taken to secure the premises or equipment involved. Allow a forensics team to prevent any additional data loss, and begin to analyze the breach at hand. A data breach may trigger certain legal notifications and result in litigation or fines. For these reasons, it is imperative that the response team document the following information: who discovered the breach; to whom the breach was reported; when was the breach detected; how was it detected; what type of breach occurred; what data was involved; affected individuals; in what states do the affected individuals reside; and, what systems were involved. The objective is to memorialize all relevant information at the time the breach is detected.
Once response efforts are underway, it may become necessary to modify information or equipment, and information regarding the breach may be lost or destroyed during this process. In addition, a forensics consultant will not only analyze the cause and immediate ramifications of the breach, but may be able to identify other potential security gaps or risks, and have systems back up and running in a timely manner.
In the event of a data breach, implementing the above steps correctly and timely is critical. Currently 47 out of 50 states have data breach statutes, not to mention industry specific requirements such as HIPAA or the Sarbanes-Oxley Act. Depending on the nature and scope of a single breach, a business may find itself evaluating notification requirements in multiple jurisdictions with differing requirements.
Mitigating The Risks Of The Inevitable: Contractual and Insurance Considerations
A business's cybersecurity responsibilities and efforts do not end at the front door. Contractual relationships between a business and third parties create additional risks. Whether those third parties are customers, vendors, or service providers, a business must take steps to protect the information shared with those third parties.
The first line of defense for protecting information shared with third parties is strong contract terms in regard to data security. A contract provides a business with an opportunity to identify the ownership of data and allocate cyber-related risks such as cyber credentialing requirements, indemnification, and insurance coverage. In addition, to the extent that a business works with outside vendors or service providers, a business is well-advised to contractually address, among other things, the third party's cybersecurity and data protection policies, which of their employees have access to information, screening of employee backgrounds, and the ability to conduct an audit of the third party's operations.
Data breach specific insurance policies have also emerged as a resource to help businesses round out their cybersecurity protections. Insurance will not prevent a risk; however, it will mitigate the fallout. As a first step, a company must assess what cyber coverage, if any, it currently has. A business should no longer rely on existing or traditional CGL or E&O policies to provide coverage against a data breach. In fact, many such policies now exclude coverage for data breaches. Data breach policies currently provide a range of coverage, including for first and third party damages, remediation efforts, payment of fines and penalties, and the provision of risk management services. A business should work closely with its broker or insurance carrier and legal counsel to assess current coverage and whether additional coverage needs exist.
Cybersecurity and data protection are an essential part of our interconnected business world. To succeed in a business environment that is becoming ever more reliant on technology, it is essential that businesses have an ongoing assessment of their technology, data, and cyber credentials. Although a business may not be able to completely eliminate the risk of a data breach, through the implementation of sound cybersecurity and data protection polices, a business can reduce its exposure and position itself to appropriately respond to and address the new third certainty in life.
Article originally published in the Association of Corporate Counsel Charlotte Newsletter, 1st Quarter 2015, and is posted with the permission.