Sep 21, 2018
Published in the Sussman Shank LLP Spring 2018 Newsletter
Businesses of every size confront privacy and data security issues on a near-daily basis. Employees, consumers, customers, and clients are more concerned with the safety of their personal information than ever before. At the same time, the risks from lax security measures have never been greater. The following are questions that business owners and their advisors should be asking to determine compliance with privacy laws and preparedness for a cyber incident (data breach).
1. What kind of data does your business store?
Compile an inventory of the data that your business stores. Find out who the data belongs to, how your business received the data, and where that data is stored. Your business may be acquiring confidential or sensitive information inadvertently, for example, through an unrestricted “comments” field on the “Contact Us” page of your website. Once the data is known, the data should be classified according to its asset value and relevance to applicable laws.
3. Do you have a Data Retention Policy?
A Data Retention Policy describes how an organization’s employees are expected to manage electronic and physical data from creation through destruction. It should specify retention and destruction guidelines for every possible form of data including paper files, electronically stored information, CDs, and tapes. Some plans may be dictated by applicable laws such as the Fair and Accurate Credit Transactions Act (FACTA) disposal rule. If your business is ever involved in litigation, a robust Data Retention Policy may help defend against charges of evidence destruction.
4. What about vendors of the business?
More and more businesses are relying on third parties to store and/or process data, including cloud storage companies. You should vet your vendors before engaging them. Conduct reference checks and ask questions about their financial condition, insurance policies, and information security controls. Carefully review contracts before signing to ensure that the contracts include confidentiality provisions, state that data is only to be used for the purposes contracted for, and require the vendor to promptly disclose data breaches.
5. Do employees know how to avoid a cyber-attack?
Every employee needs to know that he or she has an individual responsibility to protect confidential information held by the business. Employees should be trained upon hiring and receive yearly refreshers. Recent studies indicate that using positive reinforcement may be a more effective way to train employees on cybersecurity best practices. It is also more effective to have other employees conduct all or part of the training, rather than IT professionals who may be more intimidating.
6. Is your business ready for a data breach?
Businesses must have an Incident Response Plan that sets out what to do and who to call in the event of a data breach. The Incident Response Plan should designate an internal point person or team, and specify a protocol for employees to follow if they experience a data breach or any cyber incident. Also list external contacts such as a forensic investigator, credit monitoring company, attorney, and insurance broker, as well as legal authorities. Be sure to print out copies of the Incident Response Plan and update the plan annually.
7. Does your business need Cyber Insurance?
The average price a small business pays for a data breach is $690,000. Cyber insurance is one way to mitigate those costs. Common reimbursable expenses include forensic investigation, business interruption losses and data loss recovery, breach notification including credit monitoring, legal settlements and regulatory fines, and even extortion (such as in response to a ransomware attack). Cyber insurance may be especially valuable for those businesses that do not have an IT department or dedicated IT manager because insurers often require assessments and other steps to improve security before issuing a policy. These steps help to avoid or mitigate a later breach.
8. Does the GDPR apply to your business?
On May 25, 2018, the European Union General Data Protection Regulation (GDPR) went into effect. The GDPR defines a broad set of rights and principles governing the protection of EU data subjects, including mandating that companies have a designated data protection officer and imposing new breach notification requirements. U.S. companies that do not have a presence in Europe, but that sell to people located in the EU, or obtain and retain personal information of people in the EU, may be required to comply with the GDPR. The GDPR may also apply if your U.S. business contracts with vendors in the EU to store personal information. Compliance is complicated and fines are steep, so evaluate your GDPR obligations if there is any risk your business may be covered.
Kristen Hilton is an attorney with Sussman Shank LLP. She is a Certified Information Privacy Professional for the United States (CIPP/US), and focuses on counseling businesses and employers on issues relating to privacy and data security. Contact her at 503-243-1654 or firstname.lastname@example.org