|(c) Matt Cordell|
Recent headlines have been replete with disastrous news of privacy and information security breaches. Target's breach, affecting 40 million credit and debit card accounts, reportedly resulted in customer information being sold on the black markets. Millions of users of Snapchat (one of the fastest-growing social media platforms) saw their private information leaked online this week. Living Social, Evernote, and Adobe each experienced major data breaches in 2013, resulting in tens of millions of user accounts being compromised. Other companies reporting breaches in 2013 include T-Mobile, Travelocity, Cracker Barrell, Facebook, JP Morgan, Bed, Bath & Beyond, UNC-Chapel Hill, the federal Food and Drug Administration, and hundreds of charities, government entities, medical providers, and educational institutions.
Records compiled by the Identity Theft Resource Center show that in 2013 there were at least 619 reported breaches affecting more than 57 million individual records. (Most breaches are probably unreported.) A study conducted by online risk management firm NetDiligence reported that in 2013, the average total cost to a company of a security breach was $954,253, with an average legal settlement cost of $258,099 and average legal fees of $574,984.
As diligently as companies try to prevent incidents of privacy and information security, there will always been gaps in the armor that will result in unintended disclosures, whether intentional or unintentional, internal (employee) or external (hackers). It is unreasonable to simply assume that all of these risks can be eliminated. Instead, it is wise to take steps now to proactively address the legal risks.
To make it easy (okay--less overwhelming), I have created a short list that will help you get started on your way to understanding and managing your legal risks associated with privacy and information security:
1. Establish Commercially Reasonable Security Measures and Policies.
Identify the most common types of threats to your organization and take commercially reasonable measures to prevent them. This should include adopting technological standards and complying with all applicable laws.
- You may have a sense of the risks your organization faces and the weaknesses in your existing systems, but I strongly encourage you to consult the studies of reported breaches to see what, statistically speaking, are the major sources of breaches. You might be surprised. For example, according to a study by NetDiligence of cybersecurity claims filed, the most common cause of an information security breach in 2013 was a lost or stolen laptop or device (accounting for more than 20% of reported incidents) followed closely by malicious hackers (accounting for more than 18% of reported incidents).
- Review existing contracts to identify any contractual data security obligations you already have. What standards and requirements are imposed by those contracts? Confirm that you are in compliance with contractual obligations. For example, confirm you are complying with the Payment Card Industry Data Security Standards (better known as PCI-DSS) if you accept payments by card.
- Identify the best practices in your industry for organizations with similar risk profiles. If your policies and procedures do not meet the industry standards, you are much more likely to suffer liability in the event of a breach.
- Understand the various privacy and information security laws that apply to your organization. (Ignorance of the requirements will not be a defense.)
Decide now how your organization will respond to a breach, and document your response plan in a writing. Involve IT professionals and knowledgeable legal counsel to ensure that the plan is feasible and complies with the law. Having a plan in place, and following it, can mitigate losses and help protect your company from subsequent liability if lawsuits or government actions follow the breach.
3. Due Diligence on Third Parties.
With whom are you sharing customer, client, shareholder, or employee information? Several recent major data security breaches have taken place within third-party vendors who had no direct relationship with the customer, and the customers typically sue the company with which they have a direct relationship, in addition to the vendor. Conduct a commercially reasonable due diligence process to ensure only responsible vendors are deemed eligible. Knowing the right questions to ask is key.
4. Sign Only Well-Drafted Contracts.
Some risks of loss arising from data security can be reduced through well-drafted contracts with customers, third-party vendors or financial institutions. If you merely assume that your vendors or financial institutions will make your organization whole in the event of a breach (wherever the breach takes place), you are probably mistaken. Most of the proposed contracts I have seen presented to companies by third party vendors are woefully inadequate to protect the company if the vendor fails to prevent a breach of the company's customer data. Involving knowledgeable legal counsel when entering into, or re-negotiating, agreements with third-party vendors that will have access to your customer's information can save potentially massive amounts of money down the road. Even if agreements are already in place, it may be worthwhile to have them reviewed by legal counsel to (i) understand the risks, and (ii) determine whether it is necessary to attempt to re-negotiate.
5. Cybersecurity Insurance.
A number of firms now offer insurance against losses arising from data security breaches, either as a separate line or as an addition to directors and officers liability insurance coverage. This is another opportunity to spend a small amount that may ultimately save a company massive amounts later.
My hope is that this brief summary will enable you to identify the steps needed to get a firm grasp on some of the fastest-growing risks facing organizations today. Subsequent blog posts will elaborate on some of the topics identified here.