Data breaches constitute a major threat to small, midsize, and large businesses. It seems nearly every week discloses a new data breach. Although the data breach of Ashley Madison provoked widespread publicity, there certainly exist major data breaches that occurred both before and after the Ashley Madison debacle. And, with each data breach, litigation ensues shortly thereafter. Consequently, any business – no, every business – that stores customer electronic data must assess the risks of data breaches and implement policies and security measures to address a breach should it occur. Such an assessment must include an analysis by an attorney or lawyer versed in data security law.
Terms, Conduct, and Practices
Implementing Security Measures
A business should also implement security measures. And, while website terms should reflect practices, a business need not – and should not – disclose the specific security measures employed. Generally, a business should implement security measures that would be reasonable within its business sector.
Completing an Data Security Analysis and Data Breach Response Plan
Any business that possesses information about customers should evaluate its data security practices and methods for responding to a breach or threatened breach. In such an analysis, a business must address technical security issues as well as business management issues. Typically, a consideration of the technical security issues will involve considerations of the data held and the appropriate security measures to implement (see above). A consideration of business management issues relates to both preparation for addressing a data breach and the actual mechanisms implemented if and when a data breach occurs.
One approach would be to work with National Institute of Standards and Technology Cybersecurity Framework. The NIST Framework contains a methodical approach to evaluating and setting goals for data security systems. Five key elements of this framework involve identification of data security issues and concerns; protection from data breaches; detection of data breaches and anomalies; responses to data breaches; and, recovery from data breaches. Working with a data security attorney versed in the NIST Cybersecurity Framework can facilitate a productive endeavor in creating a sound data security plan.
Additionally, a business should create an actionable incident plan and align other policies with the incident plan. In addition to security technology, a business should ensure policies (such as workplace policies) permit appropriate network monitoring for intrusion detection. Finally, a business should develop relationships with appropriate agencies and, importantly, a data security attorney or lawyer versed in the applicable issues.
During a Cyber Attack
As the Department of Justice (“DOJ”) recommends, a business should make an initial assessment, minimize damages, and collect and preserve relevant information and data. A business must also notify appropriate parties. In the United States, the states have enacted data breach disclosure laws to address the parties to whom notice must be provided and the specific information. Moreover, other government agencies have indicated that disclosure must be made.
For example, the Securities and Exchange Commission’s Division of Corporation Finance issued guidelines on disclosures for public companies in 2011. In early 2015, the SEC issued its Regulation Systems, Compliance and Integrity (Regulation SCI). As SEC Chair White has stated, the Regulation SCI requires “an entity covered by the rule to test its automated systems for vulnerabilities, test its business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover its clearing and trading operations within specified time frames.”
Failure to comply with this laws could result in significant penalties.
Data Breach and Security Attorneys
Mudd Law provides its clients with a full suite of data security and data breach representation. For more information, contact Charles Mudd.