Best practices for avoiding data breach liability

Listen to this article

Data breaches and cyber-attacks are an unfortunate reality. In the past few years, Google, Yahoo, LinkedIn and Wyndham Hotels have all faced data security breaches.

Now, security breaches are an increasing threat to all businesses. In May of last year, Yahoo Japan notified users that a breach may have compromised 22 million user IDs, and in last April, LivingSocial, an online daily deal website, notified more than 50 million customers of a breach resulting from a cyber-attack.

The risk of liability and reputational damage associated with such incidents has escalated, and many key industries — including defense, financial services, health care, retail, pharmaceutical and energy — are the intended targets.

Even more troubling is that the threat is often hidden, with companies not knowing that they have been hacked or that valuable information, including trade secrets or other intellectual property, has been stolen until after significant damage has occurred.

Moreover, a data security incident involving lost or stolen personal information of customers or employees — whether resulting from malicious hacking or employee negligence — may lead to enforcement actions from increasingly active state and federal regulators, fines for failure to comply with payment card data security standards, major news headlines, and even consumer class action lawsuits.

It is not surprising, then, that data security is now a top concern for both general counsel and corporate directors.

Data breach prevention

Companies should take the following precautions to minimize the likelihood of a data breach and potential liability:

Identify all sensitive data handled by the company, its custodians and its storage locations. Conducting an inventory of your company’s sensitive data is an essential step in safeguarding that information.

Ensure compliance with state and federal regulatory requirements. Depending on the type of data your company holds, it may be subject to a broad array of state and federal laws, including HIPAA, the Gramm-Leach-Bliley Act and state data security regulations. Consult with legal counsel to ensure compliance with the complex patchwork of laws.

Regularly review and update your company’s written information security policies. This is a requirement under some federal and state laws and a recommended practice for all companies.

Implement and maintain both computer system security measures and physical security measures.

“Companies need to ensure they have the most secure network they can afford, and keep it up-to-date,” said Collin J. Hite, a Richmond attorney who handles insurance recovery for data breaches. He noted that mobile devices must be included in the purview of network security, and these devices should be properly encrypted.
While computer security measures (e.g., passwords, encryption, firewalls, anti-virus software) are critical, physical security measures (e.g., locked cabinets, shredders) are equally important to safeguarding sensitive data and personal information.

Implement best practices and train employees. A company’s policies are only as good as its practices. Many data breaches result not from sophisticated cyber-attacks, but from basic employee negligence.

“The weakest link in cybersecurity is human error,” said Hite. He emphasized that most criminals aren’t attacking companies at the front gate. Instead, they are sneaking in the back door by exploiting vulnerabilities caused by unsuspecting or unwitting employees.

For example, an employee may forget his laptop on the subway or leave a thumb drive in the coffee shop. Phishing scams are also a common means for criminals to access a network.

In addition to training, companies should have a protocol for employees to follow when they lose a device, as well as a remote means for wiping a device’s data, Hite said.

Ensure vendor compliance. Exercise diligence when retaining third-party service providers or “business associates” with whom sensitive information may be shared. In some circumstances, a company may be found liable for its vendor’s non-compliance.

“If you’re using vendors and giving them access to sensitive information, whether it’s your own or your customers’, you have to undertake some due diligence on that vendor,” said Kathryn L. Ossian, an information technology lawyer in Ferndale, Mich. “You also have to have it in the contract and have them agree to what security measures you need them to live up to.”

Conduct periodic attorney-directed data security assessments. Such assessments will assist in detecting vulnerabilities and ensuring compliance with applicable laws. Businesses should retain outside counsel in order to preserve the attorney-client privilege applicable to any reports or other communications relating to the assessment.

Consider cyber liability insurance. Companies have had only mixed success in relying on traditional insurance policies to cover the costs associated with data breaches. Many companies now purchase cyber liability insurance, which is specifically designed to cover the costs of forensic investigations, notification and credit monitoring for affected individuals, regulatory compliance, and defending lawsuits and payment of any resulting judgments or settlements.

“Industry is seeing a dramatic uptick in companies purchasing cyber insurance,” Hite said. But he warned that companies must read the fine print carefully when purchasing a cyber insurance policy.

“Cyber insurance is not one size fit all,” he said. For example, some providers may refuse coverage if a non-encrypted device becomes compromised.

Responding to a data breach

Although the steps outlined above will reduce the risk of a data breach, not all breaches are avoidable. In the event of a data breach, companies must comply with data breach notification laws, which have been enacted in 46 states, including Virginia and the District of Columbia.

Virginia Code §18.2-186.6 provides the procedure for notification following a breach of personal information in the commonwealth.

A business that suffers a breach must notify consumers “without unreasonable delay.” If more than 1,000 people are involved, the business must advise the attorney general and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, again “without unreasonable delay.”

It ultimately will be up to the courts to interpret what is reasonable under the law.

“What’s ‘reasonable’ is going to be judged by what you did, when you did it and what lese was going on in your industry,” Ossian said. “Certainly if you’re a bank, the requirements and what may be reasonable might be higher than what’s reasonable for a company that doesn’t take credit cards or deal with the same kind of information as banks do.”

At the federal level, the HITECH Act’s breach notification rules require health care organizations to report data breaches involving 500 or more individuals to the affected individuals, the U.S. Department of Health and Human Services, and “prominent media outlets serving a State or jurisdiction” within 60 days. Breaches involving fewer than 500 individuals must be reported to the department annually.

Data breaches become a crisis situation for many companies, with management scrambling to determine what happened, how it happened, and what steps to take to mitigate the damage.

To limit potential liability for a data breach, companies should

Maintain an incident-response plan and team. The incident-response plan, prepared before an incident occurs, should identify the team members (e.g., executive management, IT, legal, human resources and public relations professionals), specify each team member’s responsibilities, outline breach response measures, and involve outside professionals (i.e., legal, forensic, public relations) immediately following an incident.“Companies need strong leadership in the net security department,” Hite said. Company leaders should have policies in place and stress to employees that these policies must be followed. “All the security in the world won’t help” if even one employee does not follow through.

Remember that time is of the essence. It is important to act quickly when facing a data security incident, given the deadlines under applicable state and federal laws. Failure to do so could lead to both increased regulatory scrutiny and liability.

Consult with legal counsel. Data breaches are often complex and may affect thousands, or even millions, of individuals, necessitating compliance with dozens of breach notification statutes. It is recommended that outside counsel be consulted to guide the breach response, ensure compliance and preserve applicable privileges. When dealing with complex breaches, engaging an outside forensics investigation firm may also be recommended.

According to Hite, a good cyber insurance policy has vetted a panel of vendors to cover these services. With such a policy, it takes one phone call to the insurer to secure a forensic IT consultant to help re-secure and rebuild the network, implement crisis management and provide legal counsel.

Preserve corporate reputation. Large breaches make the headlines. It is critical for the company to preserve its reputation with both the affected individuals and the general public. Engaging a public relations firm may be helpful in this regard. Offering credit monitoring to affected individuals may also help to maintain corporate reputation, reduce the risk of consumer identity theft and potential lawsuits, and appease regulators.

In the digital age, cyber-attacks and data breaches are constant threats to businesses. With breaches of large, sophisticated companies coming to light nearly every day, and state and federal regulators taking a hard line approach to data security, businesses understandably are concerned.

To combat this increasing threat, companies should implement best practices to minimize the risk of a data breach and resulting liability. Prevention and self-protection are essential components to reduce the threat and impact of data breaches and cyber-attacks.

– By Patrick J. O’Toole Jr. and Corey M. Dennis. O’Toole and Dennis practice law in Boston.  This article includes additional reporting by Sarah Rodriguez and Douglas Levy.