“It will never happen to us.”
That misperception puts businesses at risk for data breaches, expert say.
“The most common mistake is assuming your company won’t be breached because you’re not a large, multi-national company similar to the ones whose breaches are covered by the national media,” says Ari Bai, shareholder at Polsinelli. “In reality, however, every company is a target. Hackers, be they individual vigilantes, criminal organizations or nation-states, look for any and all data, and often the most accessible is that in smaller companies. Plus, small companies make for good ‘practice’ for hackers. Thus, when a company ignores the risk and does not set forth the proper protocols for protection and response, it is essentially asking to be breached.”
The 2015 Association of Corporate Counsel (ACC) Chief Legal Officers Survey revealed that one quarter of general counsel report their companies have been hit by data breaches. And according to the 2015 Cyberthreat Defense Report, more than seven in 10 respondents said their networks were breached in 2014, up from 62 percent in 2013. The average cost of a data breach in 2013 for companies in the Unites States was $5.85 million. The scariest part about the threat of a data breach is that experts agree that there is no way to completely protect a business from becoming the victim of a data breach.
“Once we develop a way to protect ourselves from something, the hackers are already using a new technique,” Bai says. “This is why preparation is so important. Liability for lack of preparation can financially devastate a company. You are going to get hacked — with preparation, you don’t have to lose lawsuits.”
Being prepared
Like any potential business catastrophe, limit a business’ risk of becoming the victim of a data breach starts with preparedness, according to Paul Stoller, shareholder at Gallagher & Kennedy.
“Every company should work with its legal professionals and IT staff to create and to implement a comprehensive data privacy and security plan, which will help to remove, or at least to reduce, the risk of many of the common causes of breach,” Stoller says.
Leon B. Silver, office co-managing partner at Gordon & Rees, says all companies, no matter their size, need to adopt data security as a core business practice throughout the organization and not look at it as something that is taken care of by one department or by an outside vendor.
“Policies on mobile devices, passwords and encryption are just part of an overall culture of data security awareness,” Silver says. “But be aware, a breach can happen.”
Heather Buchta, partner at Quarles & Brady says business leaders need to engage in some internal due diligence and ask themselves these questions:
• What internal policies are in place to protect data?
• Is there a policy against removing devices from the business location?
• Is there a policy to encrypt data?
• Even more basic, what kind of data does a company have?
“Risk of a breach increases as the volume of data a company has increases and oftentimes the data wasn’t even used by the business,” Buchta says, “which is creating an increased risk for no business purpose.”
Despite a company’s best efforts to lower its risk of a data breach, Buchta says today’s hackers are getting more sophisticated and businesses always have the added risk of employee error.
“The risk really lies in what was done ahead of time to try and prevent and breach and how the incident is handled afterward,” she says.
After the breach
While a business can be proactive in taking the appropriate steps to minimize risk and being well equipped to handle a loss or theft if data or information, there are no measures that provide a guarantee of security, Silver says.
“In fact, virtually every mid- to large-size company has already likely been breached, but the extent is either not known, or is not significant,” Silver says. “A big source of loss continues to be human error. That, coupled with continually evolving technology and more sophisticated theft/hacking measures equates to an ongoing need to stay ahead of the curve and simply arm yourself the best you can by adhering to and enforcing strict privacy policies following a thorough risk assessment.”
So what should you do if you’ve taken all the proper steps to reduce your risk of a data breach and your businesses is still victimized?
“The first thing is always to identify the source and to fix the issue that caused the breach so that there is not any further loss or theft of data,” Stoller says. “After that, the business needs to work with its IT professionals to investigate what caused the leak, to identify those persons who may be affected and to preserve evidence of what happened.”
Stella says it’s also imperative to work with legal professionals to determine a business’ legal obligations after a breach, including notifications to affected persons and government agencies.
“Don’t delay in investigating and don’t delay in calling in the experts,” Buchta says. “Businesses should have an incident response plan and that plan should identify the key players to investigate and manage a breach — legal counsel, IT forensics, operations/HR, public relations and the executive team.”
Because experts say a data breach is almost inevitable, it’s crucial for a business to develop and enforce sound privacy policies, including a response plan should a breach or loss occur, Silver says.
“Such policies will also need to evolve over time as technology continues to improve,” he says. “The bottom line is to expect the unexpected, think ahead, keep thinking ahead, and do your best to prepare.”
Advice from experts
Here is what Valley legal experts advise businesses to do to lower their risk of a data breach:
Ari Bai, shareholder; and Nick Verderame, associate, Polsinelli: “Start preparing now. Bring in technical and legal help to assess your data and risk levels, create technical protections, implement company procedures to protect against leaks, educate your employees and leadership, organize annual ‘fire drill’ tests and prepare a reaction and notification procedure.”
Heather Buchta, partner, Quarles & Brady: “Know your business. Know what data you have. Have an incident response plan in place in advance to facilitate the handling of an event when it occurs. Note I said, ‘when it occurs,’ not ‘if it occurs.’”
Leon B. Silver, office co-managing partner, Gordon & Rees: “Begin by assessing risk, including the availability of special ‘cyber risk’ insurance, which is not just for hacking and may provide coverage for both investigation and response costs, as well as defense and/or indemnity for third-party claims.”
Paul Stoller, shareholder, Gallagher & Kennedy: “The best practice for a business is to create and maintain a comprehensive data privacy and security plan. That begins with an audit of the business’s data and the development of policies and procedures to manage its confidential information. Then, it is essential to train employees on both the policies and procedure and the potential threats to the data’s security.”