Data breaches constitute a major threat to small, midsize, and large businesses. It seems nearly every week discloses a new data breach. Although the data breach of Ashley Madison provoked widespread publicity, there certainly exist major data breaches that occurred both before and after the Ashley Madison debacle. And, with each data breach, litigation ensues shortly thereafter. Consequently, any business – no, every business – that stores customer electronic data must assess the risks of data breaches and implement policies and security measures to address a breach should it occur. Such an assessment must include an analysis by an attorney or lawyer versed in data security law.
Terms, Conduct, and Practices
As an initial assessment, any business that hosts a website that contains terms of use and privacy policies must ensure the policies reflect the actual conduct and practices of a business. This principle could not be clearer. The business’ website policies must reflect the business’ practices, and the business’ practices must reflect the business’ website policies. For this reason alone, it is advisable to work with an attorney and legal counsel to carefully draft terms of use and privacy policies. One must definitely avoid the all too common practice of copying the terms used by a competitor or other attractive website. Custom terms of use and website policies form a critical component of due diligence.
The terms of website policies and the business’ practices should be audited at least once a year. In particular, a business should consult with an attorney after any significant legal or data security development occurs. Recent data breach litigation has included claims for misrepresentations found in the website terms of use. This should prompt an audit or review to ensure your website policies still reflect your current practices. Likewise, as assessment should occur in light of the European Court of Justice (“ECJ”) invalidating the Safe Harbor program.
Implementing Security Measures
A business should also implement security measures. And, while website terms should reflect practices, a business need not – and should not – disclose the specific security measures employed. Generally, a business should implement security measures that would be reasonable within its business sector.
Completing an Data Security Analysis and Data Breach Response Plan
Any business that possesses information about customers should evaluate its data security practices and methods for responding to a breach or threatened breach. In such an analysis, a business must address technical security issues as well as business management issues. Typically, a consideration of the technical security issues will involve considerations of the data held and the appropriate security measures to implement (see above). A consideration of business management issues relates to both preparation for addressing a data breach and the actual mechanisms implemented if and when a data breach occurs.
One approach would be to work with National Institute of Standards and Technology Cybersecurity Framework. The NIST Framework contains a methodical approach to evaluating and setting goals for data security systems. Five key elements of this framework involve identification of data security issues and concerns; protection from data breaches; detection of data breaches and anomalies; responses to data breaches; and, recovery from data breaches. Working with a data security attorney versed in the NIST Cybersecurity Framework can facilitate a productive endeavor in creating a sound data security plan.
Additionally, a business should create an actionable incident plan and align other policies with the incident plan. In addition to security technology, a business should ensure policies (such as workplace policies) permit appropriate network monitoring for intrusion detection. Finally, a business should develop relationships with appropriate agencies and, importantly, a data security attorney or lawyer versed in the applicable issues.
During a Cyber Attack
As the Department of Justice (“DOJ”) recommends, a business should make an initial assessment, minimize damages, and collect and preserve relevant information and data. A business must also notify appropriate parties. In the United States, the states have enacted data breach disclosure laws to address the parties to whom notice must be provided and the specific information. Moreover, other government agencies have indicated that disclosure must be made.
For example, the Securities and Exchange Commission’s Division of Corporation Finance issued guidelines on disclosures for public companies in 2011. In early 2015, the SEC issued its Regulation Systems, Compliance and Integrity (Regulation SCI). As SEC Chair White has stated, the Regulation SCI requires “an entity covered by the rule to test its automated systems for vulnerabilities, test its business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover its clearing and trading operations within specified time frames.”
Failure to comply with this laws could result in significant penalties.
Data Breach and Security Attorneys
Mudd Law provides its clients with a full suite of data security and data breach representation. For more information, contact Charles Mudd.