There is a good chance that you have heard about some major data breaches at companies all across the country over the last several years.
Major Data Breaches
If not, here is a refresher:
- When the movie The Interview came out – a comedy starring James Franco and Seth Rogen about bringing down North Korean dictator Kim Jon – Sony found themselves on the wrong side of hackers. Tens of thousands of people had their personal information stolen, including many Sony employees. Not only did it cost time and money, but it also caused quite a reputation blemish for a while.
- Target was also the victim of a major breach back in 2013, when 40 million customers had their personal information taken. In just one of the settlements the company had to make, they ended up being liable for $67 million to Visa alone.
- Then, there is the Anthem data breach, which affected nearly 80 million people.
- The final one I will mention is the OPM, where the personal information of nearly 18 million current and former government employees was compromised.
In fact, according to the Identity Theft Resource Center, between 2005 until April 2016, there have been 6,079 breaches and 862,527,023 number of records taken.
Ponemon Institute and Experian Survey
In addition to those scary numbers listed above, a recent cyber-security survey conducted by the Ponemon Institute and Experian Survey found some surprising numbers of their own.
- 60% of surveyed business leaders thought that their employees did not know enough about protecting personal information.
- 55% said that they had a breach because of employee negligence.
In fact, if you want some solid proof of this, think about the Erin Andrew’s story. In that case, the hotel chain where Andrew’s was staying was liable in part for the actions of the ESPN host’s stalker because their employee did not know how to properly handle the personal information and willingly gave out the guest’s room number.
What This Means
All of the above should be cause to give you pause. Data breaches cost businesses a lot.
- It cost actual money because of liabilities to those who had info stolen (think Target’s 67$ million settlement with Visa) and because the actual cost of giving notice to employees and consumers.
- It costs legal fees and consequences because there are many laws you need to be following in order to avoid and limit damage of security breaches.
- It costs time – from giving notice to answering questions to consumers, employees and the press, to legal actions, etc.
- It costs reputation – because people hear about these stories and are wary to give their own personal information to a company they do not know if they should trust.
Yet, despite all of the bad things that we all know happen because of data breaches, they are still happening all the time with worse and worse consequences.
It seems like people are simply not doing enough to fix the problem.
There is really no reason for you not to take the proper steps to eliminate these concerns. However, if the reason you aren’t doing enough is because you don’t know how, then hopefully the rest of this post will help you.
Before a Breach Occurs
You do not want to wait for a breach to occur before you start doing anything. You will save yourself a lot of legal and reputational trouble if you take all of the proper steps to protect information before a breach even occurs.
For starters, make sure you are doing all of the following even if you have never had a security threat:
Check Your IT Systems
Many breaches will occur because of insufficient security measures. That is why you want to make sure your technology is secured in the most appropriate manner for your business.
If you do not have internal IT to help secure your system, think about bringing in outside help to make sure you are protected. Remember, you may not want – or think you can afford to – invest in this help now, but it will cost you a lot more in the long run if you do get breached.
Train Your Employees
As the Ponemon Institute and Experian Survey points out, most employers are aware that their employees do not know enough about protecting personal information. They also put many of their own security irregularities onto the hands of their negligent employees.
What this should tell you is that employees need more training in this area. If they are handling personal information – from point of sale all the way down to destruction of that information – then they need to be trained in how to properly handle it.
Redact and Encrypt Information
When you do keep information, make sure you properly code, encrypt, or redact it. In fact, the safer you keep it, the less likely it is that you will have any problems later on if someone does get it.
Some states put requirements for how you must protect information and others only include unencrypted or redacted information in their notice requirements. So make sure you know the law in your state.
Keep Information on a Need to Know Basis
As is always the case, the fewer people to know something, the less likely it is that employee negligence will be the cause of a problem. So, if you are collecting personal information, try to limit the amount of people who have access to said info.
Destroy Information Properly
At some point, you might decide to get rid of some of the personal information that you keep. If you decide to do this, make sure you do it properly.
Once again, you need to be aware of applicable laws. If the law dictates when or how you can destroy information, you need to make sure you are doing it correctly.
As Soon as You Notice a Breach Has or Potentially Has Happened
The second you notice an irregularity in your system, you should be taking steps to fix it. Here are some things you should do as soon as possible:
Catch Breaches Early
Monitor your systems. If you know what is normal for you, you will know what is not normal. This means that as soon as something out of the ordinary happens, you will spot it and be able to fix it.
Take Proper Steps to Curb Damage
Once you see something, do something. Talk to your IT experts to get the hack fixed. Investigate what happened. Then, start preparing for the next steps, which might include giving notice.
Talk to a Lawyer
Talk to a lawyer about what you should do now. Sometimes, you will need to have a police investigation before providing notice. Maybe, the breach was caught early enough of you protected the information well enough that you don’t even need to provide notice.
The best thing to do, though, to make sure you are taking the right steps, is to get legal counsel when you think a breach has occurred.
The Aftermath of a Security Breach
After you have been breached, and you have taken the immediate first steps to fix it, you should start taking care of all your legal obligations, meaning providing accurate notice, as well as taking steps to make sure that a similar situation does not happen again.
When a breach does occur, the odds are you will likely have to provide notice to anyone affected by it.
What notice is required – and how you provide notice – will be determined by state law. However, there are some pretty standard things we can say about what that state law will likely include.
You will likely have to provide written notice directly to the person the breach affected. That notice will probably say things like what information was taken, what is being done to protect it, and how the consumer can learn more information.
In bad breaches that will cost a lot of money to provide notice or will be given to many people, you may be able to provide secondary notice, which will likely require you to provide notice to major media outlets, put it on your website, and notify major credit bureaus.
Again, though, the standards for secondary notice are dictated by state law, so it is best to get legal help when you are determining whether you can use it.
Once you have given notice, you may want to start preparing for any legal actions that might be taken against you.
Here, take into account financial concerns, as well as time and legal defenses.
Reputation Damage Control
If the breach is bad enough, it will garner some press. So, you will want to take some time to make sure you are on top of reputation control.
Finally, once this is all in your back mirror, make sure you evaluate and learn from the whole process.
There are a lot of legal and business considerations to take when it comes to protecting your employees’ and customers’ personal information. Don’t wait until a problem occurs to try to come up with a solution.
Talk to an employment lawyer, and perhaps an IT professional, in order to make sure you are taking the appropriate steps to protect and monitor the personal information that you collect. When you get rid of information, do so in the correct manner.
Then, make sure you have steps in place to spot hackers or breaches as soon as possible. If a breach does occur, talk to your employment lawyer as soon as possible to make sure that you get this delicate matter taken care of in the legally compliant manner that will best eliminate the negative consequences of a breach. Remember, the earlier you spot and correct a problem, the less damage it will cause.
Finally, when a breach occurs or periodically without a breach, evaluate your policies and procedures to make sure that you are continuing to do the best you can to protect any personal information you may have in your system, from employee files to consumer credit card numbers to anything else you might have in order to effectively run your business.