How to Prepare for a Data Security Breach Before It Happens

Don Hankins / Foter.com

Just days ago, Target released a statement confirming an information security breach affecting 40 million credit and debit card accounts.  Already, card information has reportedly flooded the black markets.  Several million usernames and phone numbers of Snapchat users were apparently leaked online this week.  It was reported that  Living Social, Evernote, and Adobe each experienced major data breaches in 2013, resulting in tens of millions of user accounts being compromised.  At least one commenter has estimated that the top five largest breaches alone in 2013 affected about 450 million user records.  If even large organizations with significant resources and tech-savvy IT companies cannot always prevent data security breaches, what are the odds your company will be 100% successful in avoiding a breach?  It seems almost irresponsible these days to assume that you can stop every attack indefinitely.  Instead, we must face the reality that an information security breach is possible, and therefore take steps now to address the risk. 
 
In April, I wrote a blog post for the North Carolina Business and Banking Law Blog on this topic.  You can read the full piece here.  Below are some key points to consider:

• Approximately 46 states and the District of Columbia have data breach notification laws.
• Data breach notification laws usually require a company to notify the affected customers, the attorney general, and the consumer reporting bureaus.
• Breaches affecting a small number of customers may not be required to be reported to officials.
• According to the Identity Theft Resource Center, a nonprofit group that tracks data security breach reports, there were 447 (reported) data security breaches reported in 2012, covering 17,317,184 individual records.
• A study conducted by online risk management firm NetDiligence reported that in 2011, the average total cost to a company of a security breach was $3.7 million, with an average legal settlement cost of $2.1 million and average legal fees of $582,000.
• 26% of data breach lawsuits were brought against companies in the financial services sector, with 20% in the health care sector and 10% in the retail sector.

What can a company do now--before a breach--to address this risk?

• Commercially Reasonable Security Measures and Policies.  Companies should know the most common types of threats and take commercially reasonable measures to prevent them.  This should include adopting technological standards and complying with all applicable laws.  
• Adopt a Data Security Breach Response Plan and Train Staff.  Prepare now for how your company will respond to a breach.  Involve IT professionals and knowledgeable legal counsel.  Having a plan in place, and following it, can mitigate losses and help protect your company from subsequent liability if lawsuits result.
• Due Diligence on Third Parties.  Several recent major data security breaches have taken place within third-party vendors who had no direct relationship with the customer, and the customers typically sue the company with which they have a relationship in addition to the vendor.  Conduct a commercially reasonable due diligence process to ensure only responsible vendors are deemed eligible.  Knowing the right questions to ask is key.
• Well-Drafted Contracts.  Some risks of loss arising from data security can be reduced through well-drafted contracts with customers, third-party vendors or financial institutions.  Most of the proposed contracts I have seen presented to companies by third party vendors are woefully inadequate to protect the company if the vendor fails to prevent a breach of the company's customer data.  Involving competent legal counsel when entering into agreements with third-party vendors that will have access to your customer's information can save potentially millions of dollars down the road. 
• Cybersecurity Insurance.  A number of firms now offer insurance against losses arising from data security breaches, either as a separate line or as an addition to directors and officers liability insurance coverage.   This is another opportunity to spend a small amount that may ultimately save a company massive amounts later.

Given the enormous losses sustained as a result of the reported breaches, it is imperative that businesses recognize the risks presented by data security breaches and take steps to mitigate them before a breach occurs.