Don’t be the next Target

Attorneys general for many states have been leveraging breach notification laws to investigate poor data-security practices. While we will not delve too deeply into specific data-security practices here, know that cyber intrusions into businesses of all varieties and sizes are increasing, and we highly recommend that you continually monitor and review your company’s data security.

As a keeper of PII, you have two basic data security obligations: (1) to provide reasonable security for such data, and (2) to warn potentially affected parties in the event of any data breach.  For example, reasonable security measures—as defined by Massachusetts law—requires: a comprehensive, written information-security plan (WISP) that contains physical, technical and administrative safeguards that are appropriate to the company (based on size, complexity, nature and scope of activities, sensitivity of information). The WISP must be reasonably designed to (1) ensure the security, confidentiality, and integrity of the covered information, and (2) protect against any anticipated threats or hazards to the security or integrity of that information.

A successful WISP will help to limit the liability faced by a company in the event of a data breach. Such a WISP will assign specific responsibility for the various components of the security plan. Once you identify the information assets that require protection (including any data that is outsourced), regular risk assessments should be conducted to evaluate threats, vulnerabilities and potential damages in the event of a breach or loss. The selection, development and implementation of security controls should be responsive to the risk assessment and address the physical, administrative and technical aspects of data protection. Due to the ever-evolving nature of the threat environment, it is recommended that you continually monitor the effectiveness of the WISP program and make adjustments, as necessary.

When assessing the various risk factors, threats to your data come in several forms, from the human threat—everything from malicious hackers to careless or dishonest employees—to the technical threats, currently taking the form of viruses, worms, and spyware. Ask yourself how vulnerable your data is to the various threats, what might be the extent of the resulting harm from a breach or loss, and asses the likelihood that a threat will exploit a vulnerability and cause harm.

While most state states rely on risk-based controls, some go further in requiring the encryption of PII for any transmissions of such data (including California, Massachusetts and Maryland). Massachusetts law takes this one step further by requiring any party storing PII to use firewalls, virus software, and up-to-date patch management. Encryption of data is viewed as a “best practice” and acts as a safe harbor in many respects, often eliminating the need to disclose data breaches to customers. Note that password protection does not equate to encryption. Where PII is redacted, the requirements for protection and/or notification in the event of breach or loss are usually no longer applicable.

In the event of a breach or potential loss of PII data, immediately contact cybersecurity counsel to initiate an investigation. Such counsel will interface with the appropriate forensics, security experts and/or law enforcement under the protection of attorney/client privilege, shielding these necessary actions from potential discovery. Counsel will then be able to inform of any applicable notification requirements that may accompany the breach/loss.