Data Breaches and What To Do About Them
Data breaches are becoming more and more common with various incidents being reported on the news seemingly every day. The California Office of the Attorney General (COAG) reported receiving 657 incidents of data breaches over the last 4 years that affected 49 million records of Californians. In 2015 alone, 24 million California records were affected by data breaches. Many security professionals now claim that it is not a question of “if:” a company will be impacted by a data breach but only a question of “when.” Consequently, preparation is mandated, not just by common sense but by the law as well. For the California Civil Code requires that a business “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect personal information from unauthorized access, destruction, use, modification, or disclosure.” Similar provisions exist in other states as well as federal law. This means that those responsible for the operation of a business or an organization, even those serving on a board of directors, must take responsibility for complying with the law. In summary this requires a holistic approach to the issue with a design in place for the security of the entire organization.
In June 2015, the Federal Trade Commission (FTC) released “Start with Security: A Guide for Business” available on the FTC’s website. It set forth lessons learned from more than 50 cyber security related enforcement actions condensed into ten principles which are:
1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords & authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current & address vulnerabilities that may arise.
10. Secure paper, physical media & devices.
Compliance with these principles could require the involvement of legal counsel in numerous instances. One example might involve the retention of third party vendors to handle cyber security issues. Since the vendor is entrusted with sensitive information due diligence on the vendor must be performed as well as documenting the security requirements to be followed by the vendor.
Incident Response Issues.
Prior to any incident ever occurring, an incident response plan should be developed and tested. Businesses may also consider purchasing cyber insurance since traditional insurance probably will not provide coverage in the event of a breach. IF a breach does occur, should a breach notice be sent out? California has specific requirements and legal counsel should be consulted about whether to send out such a notice and how.
Cyber security has a plethora of issues and responsibilities which are too many to include here. For further questions, legal counsel should be consulted.