It's one of the hottest topics for in-house counsel, thanks to the countless data debacles over the past few months and years: Target, Neiman Marcus, Barnes & Noble, etc. Companies have sensitive data, hackers break in, and companies respond with mouths agape, including their in-house counsel, who know a lot about law and little to nothing about encryption and best practices.
We're not going to reassure you by saying, "no big deal," because it is a very big deal -- even if you're a technophobe, you need to have a data breach game plan for when the inevitable happens. Scott Vernick, partner at Fox Rothschild LLP, noted that in 2013, 90 percent of companies reported that they'd been hacked, reports Inside Counsel. "There are only two types of companies, those that have been hacked and those that don't know they've been hacked," he stated.
Need a primer on data protection and cybersecurity basics? Back in 2011, the ABA released a Data Breach and Encryption Handbook. Though it may be a bit dated now (tech moves fast), for those seeking an introductory overview, it's a good place to start.
And though password policies and discussing encryption technologies with an IT consultant are great initial small steps to preventing a data debacle, it's not enough to hand it off to your tech guys -- you need to understand state-of-the-art security and the risks that you're company is taking with consumer data.
Get Privilege Before Addressing the Crisis
When the inevitable data breach does happen, your first instinct might be to immediately reach for the phone to contact security experts. That's a great idea, but your best bet is to call for outside counsel that specializes in data security issues. As we recounted last year, data security practices are a growing trend in BigLaw for good reason -- by calling counsel first, and having them hire the experts, the work done to patch your leak may be covered by attorney-client privilege or the work product doctrine.
Plus, the BigLaw teams often have specialists that can deal with security, government inquiries, and class actions, all of which are issues you'll be dealing with if you have a big enough breach.
React in a Timely Manner
Whether the breach is localized (your company only) or global (an Internet-wide bug, like Heartbleed), you need to move quickly. As we noted when learning from Target's mistakes, hesitation can be your biggest sin. Having a game plan in hand will help greatly.
When it comes to global bugs, act quickly to put out the fire: check with IT to see if you are affected, patch the bug, and notify customers if any data was accessed in the breach.
These tips are a little general, but they're a good starting place for your company to develop its own game plan, a task that should be at the top of your list.
Enjoy the latest legal news from our blogs? Keep up with the latest legal docs on Scribd.
- Need a Cybersecurity Refresher? Check Out SBA's New Online Course (FindLaw's In House Blog)
- Your Company's Data Breach May Be the Least of Its Problems (FindLaw's In House Blog)
- Cyber Security in 2014: Issue Spotting and Beyond (FindLaw's Technologist Blog)