According to a March 2011, Ponemon Institute post, the average breach notification incident costs $214 per compromised record and an average $7.2 million per data breach event. If your business — large or small — collects personal information, you are target.
Failure to take reasonable measures to protect your customer and employee information risks significant business losses, reputational damage, and the wrath of the courts and enforcement agencies. Especially vulnerable are startup companies whose resources can be wiped-out by even the slightest hack.
So…what to do?
This article outlines the legal requirements when an organization detects a security breach, gives an overview of incident response planning and provides tips for preventing and responding to security breaches. Following are a few basic suggestions to mitigate the risk of a breach:
- Inventory and audit systems that store personal information then secure them;
- Limit vendor and employee access to personal data;
- Prohibit, if possible, downloading of personal data (e.g. to flash drives);
- Encrypt whenever possible personal information/logins;
- Purge data regularly that is no longer needed.
For additional information, review the FTC’s guide for businesses on protecting personal information.
The Legal Landscape
Most breach notification statutes are only triggered when unencrypted personal information is compromised. Thus, data encryption of personal information should be a key component of a business’ risk mitigation strategy. In Minnesota the applicable statute is 325E.61. My explanation of the legal landscape centers on Minnesota’s law. California, however, led the way in 2003 and most states modeled their laws after California’s statute; as of this writing, more than 35 states have enacted breach notification statutes.
Minnesota’s statute requires disclosure of any breach of unencrypted personal information following discovery of the breach. Disclosure must be made in the most expedient time possible. There are two exceptions: a business can delay providing affected persons notice of a breach if it would compromise a law enforcement investigation, or alternatively if it is necessary for the business to ensure the security of the data system and thereby avoid additional breaches. Minnesota’s statute, which is similar to many other state statutes, also defines personal information, which includes your customers’ names in combination with social security and myriad other data.
1. If your company operates in multiple states you need to take heed of their laws. Although the laws between states are similar there are maddening differences. For example, notice of a breach to certain state agencies must occur under some statutes, and different state agencies have to be notified if the breach involved financial and medical records. Additionally, some state statutes specify that notice must occur within X days (e.g. 10) after discovery of a breach.
2. Although, there is no federal data breach statute, the Federal Trade Commission is active in the space. Citing FTC Section V, the federal government has brought enforcement actions and obtained settlements where businesses fail to take reasonable measures to protect personal information.
3. Your incident response plan should address the strictest of applicable state data breach notification laws regardless of whether your principal place of business is in that state.
Incident Response Plans
Proactive incident response planning can minimize the impact of a breach and companies would do well to ensure there plans provide for timely reporting of incidents to the person in the organization responsible for implementing response plans and making notification decisions. Thus, it is key that your organization have in place an incident notification and response policy. Good policies address:
1. The requirements of the laws of all states that apply (i.e. The states where your customers are located), not just the laws of the state where the company is located;
2. The actions your company will take if a data breach occurs;
3. Specify the events that trigger a notification requirement and the form of notice;
4. Identify agencies (e.g. credit bureaus, state governments, state law enforcement or the FBI) that need to be notified about the security breach;
5. State the number of days where applicable by statute, within which notification of the security breach must be provided; and
6. Identify all information to be included in the customer notices.
For additional information see the California Office of Privacy Protection publication on Recommended Practices on Notice of Security Breach Involving Personal Information.
Cultivating a “culture of privacy” along with good data practices are the cornerstone of risk mitigation. Your business should not collect information in the absence of a legitimate business need, short data retention timelines, and rigorous access limits and information encryption.
You business should consider conducting a privacy audit and inventory annually. Your organization can conduct an internal audit or engage an expert to provide an independent review. Consider too retaining counsel to assist with your data breach response planning and to advise in the event of a breach.
Although, I hope your company will never incur a data breach, if you do I advise against trying to cover it up. Transparency should be a governing principle of your incident response plan. This includes providing notices to your customers but also to law enforcement agencies.