Recent cyber-security breaches have shown that companies that fail to adequately protect their customer or client electronic data are at risk of losing public confidence and of being subject to costly damage claims of affected clients or customers and government actions for violations of unfair trade practices laws and other regulations.
By establishing reasonable electronic data security practices, your company can better protect its data and reduce its risk of liability should a data breach occur.
Below are 10 tips to enhance your company’s cyber-security:
1. Adopt “commercially reasonable” data security measures.
In Patco Construction Co. v. People’s United Bank, the United States District Court for the District of Maine held that a company’s data security measures do not have to be perfect or the best practices available, but they do have to be “commercially reasonable.” At minimum, your company should:
- Assess its vulnerability to commonly known or reasonably foreseeable attacks;
- Implement low-cost, simple, and readily available defenses;
- Implement further measures that are reasonable given your company’s resources and capabilities:
- Keep up-to-date on security standards in your industry (these may be used to establish that commercially reasonable measures were taken in the event of a data breach);
- Make sure that default passwords and default user IDs are NOT used to secure sensitive data;
- Make sure that simple or obvious passwords and user IDs are not used to secure sensitive data;
- Make sure that all sensitive data is encrypted; and
- Develop systems to detect unauthorized access to your company’s sensitive data.
2. Secure physical access to mobile computing and mobile storage devices.
Not all breaches occur online. Breaches occur in the physical world as well. Theft of mobile devices such as cell phones, laptop computers, USB drives, etc., is a major source of data leaks. These devices often contain sensitive client/consumer information that may be stolen and misused. Companies should carefully monitor custody of these devices and encrypt sensitive data for added protection in the event of a theft or loss.
3. Limit the scope and duration of data retention.
Maintaining excess data or essential data beyond the necessary retention period increases a company’s liability should a data breach occur. In the event of a data breach, the less data that is potentially vulnerable, the better. Properly destroy all data once it is no longer useful to your company, in accordance with your company’s retention policy. If your organization does not already have a written document and data retention policy, work with your lawyer and IT professionals to develop a reasonable policy for your company.
4. Determine if your industry is subject to special duties and requirements.
Under the U.S. Gramm-Leach Bliley Act, “financial institutions” (which, defined by the Act, includes many businesses that may not normally describe themselves as financial institutions) are subject to special “safeguard” rules regarding their customers’ information. Businesses in the medical industry are also subject to special security requirements regarding client/customer information under the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the U.S. Health Information Technology for Economic and Clinical Health Act (HITECH). Check with your lawyer to see if these or any other state or federal data security or information privacy laws apply to your company.
5. Develop procedures to monitor and audit data security in your company.
Implement systems to define suspicious or anomalous activity pertaining to consumer/client data and flag that activity for further investigation. An employee or team of employees should be placed in charge of overseeing and adjusting security procedures on an ongoing basis.
6. Train and educate your employees.
Malware (malicious links and emails) has become a prominent method of intrusion by hackers. Employees should be educated on this risk and trained to avoid opening unknown or unverified emails and links. Inadvertent dissemination of login information is also a common avenue of intrusion by unauthorized third parties. Train your employees to protect their system passwords and user IDs, and to disclose this information only to authorized personnel.
7. Follow your company’s data security policy or agreement.
Failing to abide by one’s own security policies or agreements risks increased liability in the event of a data security breach. Your company’s own policies may set the standard against which any deficient conduct and procedures may be measured in a court claim. Moreover, failure to follow your company’s own policies/agreements may be grounds for breach of contract claims and unfair trade practices prosecution by the U.S. Federal Trade Commission and state authorities. Once your company develops and implements policies, your company should periodically self-audit or bring in an outside auditor to make sure that your personnel are actually adhering to those policies.
8. Carefully select third party providers.
Companies that use third party providers to maintain and store sensitive data should carefully vet and evaluate each provider’s security safeguards and enter into a confidentiality agreement with each provider before sharing data and information. These providers must be capable of complying with any data security obligations to which your company is subject. Check with your lawyer regarding the required content of confidentiality agreements before sharing sensitive data and information with third parties. Your company should also secure contractual indemnification in the event of exposure and liability resulting from a security breach of information held by the 3rd party.
9. Consider cyber-insurance policies.
Many insurance providers offer liability coverage for losses incurred as a result of a data security breach. Typically, coverage requires a security audit by the insurance provider and compliance with the insurance provider’s standards for data security practices. The benefit of these plans is two-fold: they encourage stringent security practices and mitigate damages in the event of a data breach.
10. Develop procedures to quickly respond to a data security breach.
Notification laws are enacted in nearly every state. Generally, these laws require a company to provide notice to affected individuals if there has been a data breach involving their unencrypted data. Maine’s notification law, found at 10 M.R.S.A. § 1348, requires most companies to notify affected individuals if the individuals’ unencrypted personal information has been misused or it is “reasonably likely that misuse will occur.” Notification must be made “as expediently as possible and without unreasonable delay.” Thus, it is imperative that your company develop response procedures to handle post-breach notification requirements under applicable laws.
For more information about data security and how your company can protect itself against data breaches, please contact David B. McConnell at (207) 774-2635 or dmcconnell@perkinsthompson.com.