Planning for the Perilous Consequences of a Data Breach
The nightmare scenario for corporate boards and senior executives revolves around the impact of a major data breach. We have seen this first hand with Equifax, Anthem Healthcare, and Target, as prime examples. In the Equifax case alone, it is estimated that approximately 140 million individuals had their information hacked in the attack. It is easy to understand, in these circumstances, that a company can easily be fighting for its life.
The risks start from negative publicity, Congressional intervention and hearings, extend to breach remediation costs (technical and legal), corporate governance challenges, and the inevitable follow-on collateral litigation. Costs from a data breach are mounting and companies can no longer ignore the impact of such an event. Given the potential devastating impact, companies have to secure cyber insurance as part of an overall compliance and remediation strategy.
A Data Breach Emergency Protocol is a critical component of every Cybersecurity Compliance Plan. A data breach has to be defined as the unauthorized collection or disclosure of sensitive information, personal or business secrets, to a party inside or outside the organization. To protect against such attacks, companies employ a variety of strategies through firewalls, security divisions, strong authorization protocols and passwords to protect sensitive data.
In the simplest terms, a hack can occur from someone obtaining a valid username and password to enter the company’s network. With the advent of cloud computing and complex hacking techniques, current security strategies are quickly becoming outmoded.
Companies are now focusing on strategies to protect the sensitive data itself through encryption strategies. Each individual user has to be authorized at a second-level of protection to access the sensitive data itself.
Every state has established data breach notification requirements. Despite numerous attempts, Congress has been unable to establish a federal standard that may preempt state requirements. The individual state laws usually define a data breach, who has to be notified, what form the notification should take, what remedial action has to be taken, and the legal punishments for failure to comply with these requirements.
When customer information is breached, companies have to establish where a customer resides for purposes of determining which state law may apply. Breaches that involve personal, health, and financial data require robust notification and remediation efforts.
The costs of notification are just the beginning – customer support for individuals who need assistance as well as compensation for damages and replacement for new credit cards, for example, can quickly add to a company’s costs to remediate after a data breach.
Given the increasing burden being imposed by the states, companies need to ensure prompt and comprehensive notification and remediation plans. If a company fails to comply with these requirements, the headaches, legal consequences, reputational damage and penalties can increase exponentially.
A company’s response to a data breach is the most critical step that a company can take to limit the damage to its reputation. When faced with a data breach crisis, a company has to rally around a comprehensive plan, stick to the scripts, and address issues as they arise. An emergency response can never anticipate every issue, but a plan should have contingencies for most significant responses.
More companies are employing proactive technical protections against data breaches. A company that segregates and encrypts its sensitive data may be able to protect against a data breach as defined under state laws. An unauthorized intrusion may not be able to extend into the encrypted data. As a result, encryption can create a safe harbor for a company from data breach notification requirements and consequences.