Data Breach Watch: Five Things General Counsel Should Do Right Now
Ransomware. DDOS. Phishing. State-sponsored cyber-terrorism. These are terms that corporations, large and small, have become all too familiar with, and as the list continues to grow, so too do the risks associated with them. Companies should assume that they either have been or will be the victim or target of a data breach – whether via a network hack, a lost or stolen laptop, or just a gullible employee. Here are five basic actions that are well worth taking now to protect your business.
1. Get your board involved. Make sure your board and senior management are appropriately focused on cybersecurity. They need to understand the gravity (and reality) of cyber and privacy risks, and support the allocation of appropriate resources to cyber and information security. Moreover, shareholder derivative litigation alleging breaches of fiduciary duty have been filed in this space, and you will want to show that reasonable care was taken to prevent and mitigate losses from cyber-attacks.
2. Review your insurance coverage. Do not assume that your existing policies will apply to significant data breaches. General policies now often exclude cyber-liability coverage so as to encourage the purchase of separate cyber policies. And even if you do have cyber-liability coverage, policy terms vary widely and may have detailed carve-outs.
3. Conduct a candid assessment. While it represents an up-front cost and may expose potential problems, a small investment now to identify and remediate security risks can avoid or limit exposure later. Demonstrating that you have taken reasonable steps with regard to cybersecurity, even if you are nonetheless hit by a successful attack, can provide a helpful defense. This covers everything from assessment of what data you maintain and how; policies, procedures, and training for employees; what your contractual and legal obligations are with regard to the data you maintain; and your physical, technical, and administrative security policies and procedures.
4. Prepare an incident response plan (IRP). When a data breach occurs, companies are often faced with a hectic and chaotic situation, resulting in unnecessary expense, hassle, and sometimes rash decisions that are regretted later. A pre-set IRP can minimize all of these downsides, by clearly identifying who is to be involved, which professionals to call upon (lawyers, forensics, credit monitoring providers, call center operators, etc.), and how to handle customer and public relations, complicated notice requirements, and coverage concerns. If you experience a breach, you may also face class action litigation and/or federal and state agency investigations. Having a counsel-directed plan that is easily executed can greatly enhance the likelihood of a positive outcome.
5. Under-promise and over-deliver. Avoid the temptation to boast about the extent and quality of your security controls, lest you be accused down the road of a misrepresentation. We are unaware of any perfect security, and even the most conscientious companies can be victimized.