Don Hankins / Foter.com
In April, I wrote a blog post for the North Carolina Business and Banking Law Blog on this topic. You can read the full piece here. Below are some key points to consider:
- Approximately 46 states and the District of Columbia have data breach notification laws.
- Data breach notification laws usually require a company to notify the affected customers, the attorney general, and the consumer reporting bureaus.
- Breaches affecting a small number of customers may not be required to be reported to officials.
- According to the Identity Theft Resource Center, a nonprofit group that tracks data security breach reports, there were 447 (reported) data security breaches reported in 2012, covering 17,317,184 individual records.
- A study conducted by online risk management firm NetDiligence reported that in 2011, the average total cost to a company of a security breach was $3.7 million, with an average legal settlement cost of $2.1 million and average legal fees of $582,000.
- 26% of data breach lawsuits were brought against companies in the financial services sector, with 20% in the health care sector and 10% in the retail sector.
- Commercially Reasonable Security Measures and Policies. Companies should know the most common types of threats and take commercially reasonable measures to prevent them. This should include adopting technological standards and complying with all applicable laws.
- Adopt a Data Security Breach Response Plan and Train Staff. Prepare now for how your company will respond to a breach. Involve IT professionals and knowledgeable legal counsel. Having a plan in place, and following it, can mitigate losses and help protect your company from subsequent liability if lawsuits result.
- Due Diligence on Third Parties. Several recent major data security breaches have taken place within third-party vendors who had no direct relationship with the customer, and the customers typically sue the company with which they have a relationship in addition to the vendor. Conduct a commercially reasonable due diligence process to ensure only responsible vendors are deemed eligible. Knowing the right questions to ask is key.
- Well-Drafted Contracts. Some risks of loss arising from data security can be reduced through well-drafted contracts with customers, third-party vendors or financial institutions. Most of the proposed contracts I have seen presented to companies by third party vendors are woefully inadequate to protect the company if the vendor fails to prevent a breach of the company's customer data. Involving competent legal counsel when entering into agreements with third-party vendors that will have access to your customer's information can save potentially millions of dollars down the road.
- Cybersecurity Insurance. A number of firms now offer insurance against losses arising from data security breaches, either as a separate line or as an addition to directors and officers liability insurance coverage. This is another opportunity to spend a small amount that may ultimately save a company massive amounts later.