Data breaches are inevitable. 2017 was the “year of the data breach,” with more exposure of personally identifiable information (“PII”) than ever before. If you were one of the 30% of US-based consumers who were notified of a data breach, it isn’t comforting to know that you aren’t alone in your plight. As a business owner, the feeling is even worse when you identify the existence of a fraud that you unknowingly helped perpetrate on your customers. Recognizing the prevalence of online consumer transactions, it is difficult for businesses to grapple with the thought that they are somehow responsible for protecting their online presence, which necessarily includes the consumer data that they collect. Regardless of the size of your business, you have an obligation to protect your data.
Step 1 – Understand what data you have. This is usually a multi-faceted approach, because it requires involving a number of stakeholders in your business. There typically isn’t one right person to answer this question. Instead, you should work together with your team, which will necessarily include IT, communications, customer service, HR, security, corporate, and legal. A cohesive approach to recognizing what data is being held in your possession, as opposed to being held by a third-party vendor, is critical to assessing what security measures you need to take.
Step 2 – Work with the appropriate professionals to secure all data. The same people involved with identifying the data should be the ones tasked with creating, and implementing, a security protocol. Depending on the type of data that you have collected, you will need varying levels of security for your data. For example, protected health information is covered by HIPAA, which has a different set of rules than consumer financial data (covered by the Gramm-Leach-Bliley Act, among others), which has a different set of rules than educational data (covered by the Family Educational Rights and Privacy Act). Understanding who your customers are and where they reside has an impact on the type of security required as well. The US lacks a single, comprehensive federal law that governs the collection and use of personal information. Instead, forty-eight states have passed varying laws regarding data security, which themselves have different, and sometimes incompatible, provisions on the type of information that deserves protection. These vastly contrasting state laws and piecemeal federal laws must also be viewed against the recently enacted General Data Protection Regulation(GDPR), which protects all personal data of residents of the EU. This is all a long way of saying there are a number of factors that go into what needs to be done to protect the data you as a company are collecting. When in doubt, encrypt your data – it is a solid first step towards security compliance.
Step 3 – Prepare an incident response template. You don’t want to be surprised when the inevitable breach occurs. One way to approach this inevitability is to have a canned data breach response ready to go in the unfortunate event that a breach happens.
Step 4 – Notify the right people when a breach occurs. When in doubt, report the possible breach. Just like with protecting data, responding to a data breach requires a strong team. Legal will know what regulators, if any, need to be contacted, along with the timeline mandated for advising consumers of the breach and what information must be disclosed about the breach. IT must be involved to address the breach, identify the penetration point, and ensure that any holes are patched to avoid further data breaches. Public relatoins is brought in to publicly respond to the breach, and assuage consumer concerns on a going-forward basis.
Step 5 – Be transparent with your customers. The GDPR provides helpful guidance on the issue of transparency, and recommends that businesses “empower data subjects to hold data controllers and processors accountable and to exercise control over their personal data.” Clear and plain language is encouraged in both the disclosure of data protection policies, as well as in response to any breach. While this isn’t law for US-based consumers, it is a strong guiding principle that every business should strive towards.
Data security toolkits are available pretty much everywhere nowadays, but as with any transaction, you need to evaluate the quality of the offering and compare it to your business needs. A very basic guide is available through the FTC, which, while a good start, still requires that you identify the necessary vendors to help you through your data minefield. The other thing to keep in mind when going through this process is that having these tools in place is only part of your obligation as a business owner. You also need to actually monitor and enforce your compliance with these data protection policies. Absent enforcement, you will be stuck with an empty shell of a policy that has just a prophylactic effect without any true protections for your customers. Another option to consider when evaluating the likelihood of a data breach within your business is the purchase of cyberinsurance. Most standard corporate liability policies will not cover data breach exposure, which places the potentially expensive burden of compliance squarely on your company. Whatever action your business chooses to take with respect to the protection of data, recognizing that an upfront investment in privacy tools will help reduce the overall risk to your organization, as well as to the customers whose data you are protecting.
Previously Published: Arizona Republic ‘Your Turn’ Column June 21, 2018