Data security breaches, when data is released to or accessed by unauthorized individuals, have been all over the headlines. The recent crises experienced by Sony, Target, Michael’s, Canada Revenue Agency, and others are hard to ignore, as are the growing number of privacy breach class actions.
Many security experts say it is not a matter of whether your company will have a security breach, it is a matter of when it will occur and how much damage your company will sustain. To my mind, there are really two key questions for inside counsel:
1. What can I do to minimize data breach risk in my organization?
2. How should I respond to a data breach if and when it occurs?
I have distilled the answers to these questions into two checklists to get you started.
Minimizing data breach risk
1. Comply with industry, national, and/or international IT security standards. For example, the Payment Card Industry Data Security Standard is a must for any organization that handles cardholder information for the major debit and credit cards. The International Organization for Standardization and International Electrotechnical Commission has a growing family of standards on IT security techniques that are prepared by international experts in data security. The U.S. National Institute of Standards and Technology has recently published a framework for improving critical infrastructure cybersecurity.
Even if your organization cannot become fully compliant with such standards, you should borrow from them any risk minimization strategies that are feasible for your organization.
2. Use encryption and other advanced technologies where possible.
3. Accept that cybersecurity technologies are not foolproof. People, practices, and technology need to be used together to boost cyber-defences.
Indeed, comprehensive security standards do not simply deal with technology. For example, ISO/IEC 27001: 2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization. The related Code of Practice for Information Security Management (ISO/IEC 27002) contains 11 areas of guidance, including asset management, human resources security, and business continuity management.
4.Train employees about data breach risks and best practices, including password management, protecting encryption keys, updating software, and how to detect suspicious activities.
Many of the recent media-worthy data breaches in Canada have been caused by human error. For example, in 2013, Human Resources and Skills Development Canada lost a portable hard drive containing unencrypted personal and financial information, including Social Insurance Numbers and birth dates, of more than 500,000 people who took out student loans and 250 employees.
5. Negotiate key contract terms with your third-party service providers, including covenants on the following issues:
a. Compliance with privacy laws and with your chosen data security standards;
b. Ongoing audit rights;
c. Ownership of your data, access to your data, and permitted uses by the service provider;
d. Data breach notification and investigation rights (you cannot respond to a breach if your cloud service provider does not tell you that your customers’ personal information has been compromised);
e. Retention rules and procedures for implementing a legal hold in the face of a pending law suit or investigation;
f. Parameters for termination for breach;
g. Rights to obtain all of your information on termination;
h. A procedure for ensuing deletion of confidential and personal information from the service provider’s systems.
Finally, when shoring up defences, explore cyber-liability insurance. Traditional general liability, directors and officers, and errors and omissions policies may not provide coverage for losses arising from a data breach. There are, however, insurance products available that cover both first-party losses and third-party liabilities arising from a data breach.
Data breach response checklist
When a data breach occurs, you should implement your data breach response plan. If you do not have one, take at least the following steps:
1. Bring together your data breach response team, which should include IT, legal, management, IT forensics, and, if warranted, public relations.
2. Do not power down your systems. Shutting down your systems could destroy valuable, volatile data and hamper the breach investigation.
3. Gain an understanding of what is considered sensitive data in your organization and where it resides.
4. Interview those involved in discovering the breach and, if warranted, bring in a forensics firm to begin an in-depth investigation, delete any hacker tools, and address any immediate security gaps.
5. Determine whether you have any legal notification obligations (for example, privacy regulators or insurers).
6. Even if you do not have any notification obligations, consider whether you want to notify customers whose data was compromised, privacy regulators, and/or law enforcement.
7. If the breach related to financial information, consider whether to offer free credit monitoring. The Journal of Empirical Legal Studies published a paper in its March issue wherein researchers conclude the odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but six times lower when the firm provides free credit monitoring.
8. Document your learning from the incident.
9. Address any longer term security vulnerabilities.
10. Prepare a data breach response plan for next time!
Kelly Friedman is a partner at Davis LLP. If you would like more information on data breach issues, contact her at [email protected].
Many security experts say it is not a matter of whether your company will have a security breach, it is a matter of when it will occur and how much damage your company will sustain. To my mind, there are really two key questions for inside counsel:
1. What can I do to minimize data breach risk in my organization?
2. How should I respond to a data breach if and when it occurs?
I have distilled the answers to these questions into two checklists to get you started.
Minimizing data breach risk
1. Comply with industry, national, and/or international IT security standards. For example, the Payment Card Industry Data Security Standard is a must for any organization that handles cardholder information for the major debit and credit cards. The International Organization for Standardization and International Electrotechnical Commission has a growing family of standards on IT security techniques that are prepared by international experts in data security. The U.S. National Institute of Standards and Technology has recently published a framework for improving critical infrastructure cybersecurity.
Even if your organization cannot become fully compliant with such standards, you should borrow from them any risk minimization strategies that are feasible for your organization.
2. Use encryption and other advanced technologies where possible.
3. Accept that cybersecurity technologies are not foolproof. People, practices, and technology need to be used together to boost cyber-defences.
Indeed, comprehensive security standards do not simply deal with technology. For example, ISO/IEC 27001: 2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization. The related Code of Practice for Information Security Management (ISO/IEC 27002) contains 11 areas of guidance, including asset management, human resources security, and business continuity management.
4.Train employees about data breach risks and best practices, including password management, protecting encryption keys, updating software, and how to detect suspicious activities.
Many of the recent media-worthy data breaches in Canada have been caused by human error. For example, in 2013, Human Resources and Skills Development Canada lost a portable hard drive containing unencrypted personal and financial information, including Social Insurance Numbers and birth dates, of more than 500,000 people who took out student loans and 250 employees.
5. Negotiate key contract terms with your third-party service providers, including covenants on the following issues:
a. Compliance with privacy laws and with your chosen data security standards;
b. Ongoing audit rights;
c. Ownership of your data, access to your data, and permitted uses by the service provider;
d. Data breach notification and investigation rights (you cannot respond to a breach if your cloud service provider does not tell you that your customers’ personal information has been compromised);
e. Retention rules and procedures for implementing a legal hold in the face of a pending law suit or investigation;
f. Parameters for termination for breach;
g. Rights to obtain all of your information on termination;
h. A procedure for ensuing deletion of confidential and personal information from the service provider’s systems.
Finally, when shoring up defences, explore cyber-liability insurance. Traditional general liability, directors and officers, and errors and omissions policies may not provide coverage for losses arising from a data breach. There are, however, insurance products available that cover both first-party losses and third-party liabilities arising from a data breach.
Data breach response checklist
When a data breach occurs, you should implement your data breach response plan. If you do not have one, take at least the following steps:
1. Bring together your data breach response team, which should include IT, legal, management, IT forensics, and, if warranted, public relations.
2. Do not power down your systems. Shutting down your systems could destroy valuable, volatile data and hamper the breach investigation.
3. Gain an understanding of what is considered sensitive data in your organization and where it resides.
4. Interview those involved in discovering the breach and, if warranted, bring in a forensics firm to begin an in-depth investigation, delete any hacker tools, and address any immediate security gaps.
5. Determine whether you have any legal notification obligations (for example, privacy regulators or insurers).
6. Even if you do not have any notification obligations, consider whether you want to notify customers whose data was compromised, privacy regulators, and/or law enforcement.
7. If the breach related to financial information, consider whether to offer free credit monitoring. The Journal of Empirical Legal Studies published a paper in its March issue wherein researchers conclude the odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but six times lower when the firm provides free credit monitoring.
8. Document your learning from the incident.
9. Address any longer term security vulnerabilities.
10. Prepare a data breach response plan for next time!
Kelly Friedman is a partner at Davis LLP. If you would like more information on data breach issues, contact her at [email protected].
