Protecting Your Data is Paramount – Preparing for a Breach is Reality
While the Internet, cloud, and mobile device revolutions have created vast opportunities to streamline, drive, and even evolve your business, they have also created an environment that is the equivalent of tap-dancing in a minefield. You have only to turn on the TV or open your email to see yet another story about a company paying out millions in fines and lawsuits because they had a data breach… or even just the POSSIBILITY of a data breach. While the big enterprise, retail, and financial corporations can absorb these costs, the list of SMBs that declare bankruptcy due to fines, penalties, and reputation damage, grows daily. Add to this that the threat is not just a hacker breaching your database, or a disgruntled employee airing the company dirty laundry or stealing intellectual property, but it’s also an unencrypted company laptop being stolen, social security numbers printed on mailing labels, or un-deleted data on a recycled computer… just to name a couple of recent events. In short, you need a good map of the minefield and a way to lessen the damage and pick up the pieces if you miss a step.
To start building the map and preparing for the worst, here are 5 important questions that your organization should be able to answer.
- Do you continuously monitor your network and partners for security breaches? Jimmy John’s data breach resulted from a compromised account of its point-of-sale system vendor. Jimmy John’s did not report how it learned of the data breach, but news of a breach often comes from the banks and financial institutions that issued credit and debit cards or law enforcement like the FBI. It is not enough to monitor your own networks. You must also pay attention to those of your business partners as well.
- How long will it take you to detect and stop a data thief? It took Jimmy John’s more than seven weeks to learn of the data breach, and another five weeks to contain or stop the theft of information. (In its September 24, 2014 press release, Jimmy John’s reported that it learned of the breach on July 30, 2014, and that the intruder stole data between June 16 and September 5, 2014.) Taking weeks, if not months, to learn of a data breach and then stop or contain it is not unusual. How long would it take your organization to stop a data thief?
- How quickly will you issue notice of the breach to affected customers? The National Conference of State Legislatures recently reported that 47 states and the District of Columbia have enacted laws requiring private and government entities to notify customers of security breaches of personal identifiable information. The notice requirements for your business must minimally be in line with those of local laws and preferably of a nature to keep your customers informed before they learn of the data breach from other sources. For instance, Ohio law requires customer notification of a data breach under certain circumstances “in the most expedient time possible but not later than forty-five days following … discovery or notification of the breach.” (Ohio Rev. Code § 1349.19.)
- Will there be regulatory fallout? Many states require that notice of a data breach be provided to the Attorney General, and requirements placed on an organization vary based on state laws and the type of breach. Target Corporation reported in its recent Form 8-K filing that its 2013 data breach has been the subject of investigations by state and federal agencies, including State Attorneys General, the Federal Trade Commission, and the Securities and Exchange Commission. So in addition to class action lawsuits brought by customers and lawsuits by business partners, your organization may also be defending an investigation or prosecution from state or federal agencies.
- How will your other business partners be affected? Just as Jimmy John’s was a victim to a business partner’s compromised security, so too is Jimmy John’s a potential security threat to its partners, e.g., franchisees, vendors, financial institutions, etc. You need to protect your business through insurance and appropriate contract language for indemnification from your business partners, but you must also adopt best practices to demonstrate your business takes data security seriously.
Need help answering these questions for YOUR company? Contact Us for a free consultation.