The massive data breach at Equifax has focused attention on the substantial risks for businesses that collect, store, use, and share personal information.  The CEO of Equifax resigned and the long term viability of the company is being questioned. While the full impact of the breach and its ramifications for individuals whose personal information has been compromised remains unknown, there are valuable lessons to be learned on how to prepare for a data breach.

It is not a question of whether or not your business will experience a data breach. It is just a matter of when and how often.

Are you ready? No matter what the size of your business, you should have adequate safeguards and security systems in place to protect against any unauthorized access to and use of your data.

In collaboration with the Minnesota Department of Employment and Economic Development Gray Plant Mooty has recently published  A Legal Guide to Privacy and Data Security.  Here are some steps to mitigate risk and be better prepared when you discover that someone has accessed your system or network without authorization.  See pages 129-145 of the Guide for a more detailed discussion of best practices and tips for your business to take before any breach.

  1. Know Your Data. What personal information do you collect, store, use and share? Is all of the information that you collect and store necessary for the services you provide? Where is personal data stored and what steps are taken to keep it secure? Does any of this data come from outside the United States? What federal, state, or global laws apply to the data you collect? Are there any laws that apply based on your business or type of information? 
  2. Update Policies and Procedures. What corporate data privacy and security policies and procedures are in place? When were these policies last updated? What about the privacy policy and terms of use on your website? Are your written policies and procedures consistent with actual business practice? Do you have appropriate record retention, email retention, and destruction policies?  
  3. Train and Educate. Even the best firewalls and secure technology can be overcome by an employee who falls victim to a "phishing" attack. Are your employees educated and trained on ways to avoid introducing malware into your system and networks?
  4. Vendor Management. When I recently asked a panel of Privacy Officers what kept them up at night, the most frequent response was vendor and supplier access to their system. Scrutinize the privacy and data security practices of your vendors and make sure you get appropriate obligations and protections in your vendor agreements. 
  5. Insurance. Cybersecurity insurance is available to cover many of the costs you might incur in the event of a data breach. Make sure that coverage is sufficient and includes the costs of legal counsel, computer forensics, remediation, notification costs, public relation costs, and litigation costs if necessary to defend against government or private actions. What choices do you have in selecting advisors? To avoid a rejected claim, do not simply check the boxes in application when identifying your current data privacy and security practices. 
  6. Incident Response Team and Plan. Do you have a written incident response team and plan? Prepare for a potential data breach by creating a response team and plan. Identify individuals and the specific role and activities they will perform. Who is in charge of the team and plan?  Resolving a data breach is a team sport. Team members should have expertise in data privacy and security law, information security, computer forensics, public relations and communications.   Legal counsel must be involved early to determine if the unauthorized access is a notifiable breach based on any state or federal laws and to preserve attorney client privilege for any computer forensics investigation. Counsel will also help determine if law enforcement should be called. If outside vendors for legal services, computer forensics, or public relations will be involved, add them and their contact information to the team plan. Perform a tabletop exercise like a fire drill and review and revise the team plan as necessary.  
  7. Privacy Compliance and Information Security Program. All businesses should have adequate safeguards and systems in place to protect personal data in their possession and a process to systematically handle any unauthorized access or data breach. There are a number of security standards and frameworks that can be followed such as those released by the National Institute of Standards and Technology (NIST) of the International Standards Organization (ISO). If you handle or store credit card data you may be required to comply with the standard known as PCI-DSS. Your privacy compliance and information security program should be customized to your specific business based on the type of information you collect, store and share.
  8. Encryption. One of the basic steps to mitigate risk is to encrypt the data. Most data breach notification laws are not triggered to the extent data is made unreadable via encryption. Businesses should be sure to encrypt any personal data transmitted over unsecured networks.
  9. Limit Access. Use multifactor authentication and limit access to only those who need to access the data for a specific purpose.
  10. Limit Data Collected. Only collect and store personal information that you need. Is all of the information that you collect and store necessary for the services you provide? Do you collect and store social security information and if so for what purpose?  What about credit card data? The collection and storage of unnecessary personal information is an invitation to potential liability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.