A day barely passes without news of a major data breach perpetrated by outsiders who gained unauthorized access to sensitive personal information and intellectual property stored on company computers. In an age where practically every company collects and stores personal information about its consumers and employees, all businesses have to grapple with the difficult questions of how to safeguard their sensitive data, how to avoid a data breach, and how to respond to a data breach when one occurs. What's more, data breaches don't only come at the hands of foreign hackers, credit card thieves or even malicious employees. Often, it's plain old human error that results in data loss: a laptop stolen from a vehicle or backpack, an email attachment sent to the wrong recipient, a consultant losing a thumb drive or a webmaster accidentally posting sensitive material online. Below is a summary of current data breach notification laws and seven best practices to reduce your risk.

Data Breach Notification Laws

Forty-seven states (and D.C., Guam, Puerto Rico and the Virgin Islands) have enacted data breach notification laws that impose notification requirements, mandatory credit monitoring and other significant burdens on companies that lose control over data containing personally identifiable information, or "PII." The definition of PII differs by state, but generally includes a person's first name (or initial) and last name plus that person's social security number, state identification number, financial account number, medical information or other sensitive data. While data breaches that impact consumers tend to receive the most media attention, employee records are one of the largest sources of PII and the subject of many incidents. In addition, although the loss of intellectual property and proprietary company data may not trigger breach notification laws, the consequences of a breach involving valuable non-PII may be just as devastating for a company.

The Fallout From a Data Breach

The fallout from a data breach can be substantial. A recent report by the Ponemon Institute found that the average cost for each lost or stolen record containing sensitive information is $201 and the total average cost paid by organizations for a data breach is $5.9 million. Responding to a breach often requires diverting significant staff resources, hiring outside counsel to ensure compliance with state and federal laws, engaging a forensic computer expert to help contain the breach and protect against future incidents, paying outside vendors to notify affected individuals, providing credit monitoring services, and dealing with the press. Many breaches also lead to costly class action lawsuits and regulatory investigations. And a number of well-known brands have paid millions of dollars to settle regulatory complaints or court actions.

Seven Practical Steps to Prevent a Data Breach

Fortunately, there are practical steps that every company, big or small, can and should take to safeguard their sensitive data. While any company that collects, stores, processes or otherwise interacts with sensitive data or valuable IP is likely to have an IT security team that does its best to protect against outside intruders, one of the best ways to reduce risk is to raise awareness: educate employees about the laws surrounding sensitive data and equip them with best practices to avoid data breaches. Some of those best practices include:

  • If you don't need it, don't collect it. The best way to avoid a data breach is to avoid collecting PII in the first place. For example, do you really need an applicant's social security number just to conduct an interview?  Are you sure you need that driver's license number?
  • If you don't need it, don't use it. Once you have collected sensitive data, always think twice before removing it from a secure location. Can you do your work without exporting a sensitive data field? Moreover, companies should avoid using social security numbers or other PII as employee identification numbers, access codes or for other non-essential purposes.
  • Implement technical controls. Sensitive data should be segregated and access to it strictly limited. Companies should encrypt sensitive data whenever possible, but employees also need to be trained about how encryption works and why it matters. In a world of Bring Your Own Device ("BYOD") and cloud-based storage, you should train everyone in your company to implement an effective password strategy. 
  • Implement physical controls. While data breaches often elicit images of hackers gaining entry into a network, many breaches result from stolen computers and portable media. Employees must understand the need to lock doors, lock laptops containing sensitive data to desks, and lock portable media in desks.
  • Clean house often. Very often, companies store more data than they need, longer than they need it. Companies should create and implement document retention policies but, just as important, employees must understand the risks of having laptops and thumb drives with old data scattered about their offices and homes and the risk of failing to delete sensitive data when it's no longer needed.
  • Don't take it with you. Data is least secure when it is out of its secured home and in transit: coffee shops, hotels, subways and cars are notorious locales for stolen laptops and portable media. Employees should think twice before exporting their data, thrice before exporting sensitive data. Institute a take-what-you-need mentality when traveling with a laptop or other media.
  • Raise awareness. The best way to prevent a data breach is to make data security and privacy a part of the culture at your company. Your company should create clear policies that address data security practices, hold data security trainings, send periodic reminders about the importance of protecting sensitive information, post signs and hand out stickers as reminders, as well as spot check workers - all with an eye to encourage compliance.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.