On behalf of Sayer Regan & Thayer of Sayer Regan & Thayer, LLP on Wednesday, December 5, 2018.
By Peter Regan
Sayer, Regan & Thayer, LLP
Data breaches make headlines when they occur on a large scale. Think Target stores or Equifax. But virtually any business that relies upon and stores data is at risk of being hacked. Few companies are immune to the threat of cybercrime, as increasingly sophisticated criminals turn up the heat to seek out data that does not belong to them.
A data breach is defined as an event in which an individual’s name, medical or financial record, or credit information is potentially put at risk, either in electronic or paper format. Bank account information, customer records, social security numbers, and credit card numbers make appealing targets for cyber criminals. Some of the most heavily targeted businesses include financial services, healthcare providers, manufacturers and retailers.
The Identity Theft Resource Center estimates that, in 2016, U.S. businesses and government agencies suffered 1,093 data breaches, a 40 percent increase from the previous year. In a 2017 Cost of Data Breach Study conducted by IBM and the Ponemon Institute (June 2017), the average total cost of data breach is $3.62 million; and the average cost per lost or stolen records is $141.
The liabilities that a business may face as a result of a cybersecurity breach, as well as the way in which a company handles of the incident, are wide-ranging and serious. Corporate leaders whose businesses deal with personal data or any other materials that may cause them to be the target of a cybersecurity attack need to educate and prepare themselves both to defend against a potential breach and how to best coordinate the response that comes after.
Take Preemptive Steps
The first step that corporations should take is trying to prevent the breaches from happening in the first place. A good starting point for any corporation is to ensure that their current security is up to par according to current best practices. Because of the increasing frequency of cyberattacks in the last few years, many technology consultants are available to assist corporations in shoring up their defenses, and to make sure they meet various statutory standards.
All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches involving personally identifiable information. Security breach laws typically have provisions regarding who must comply with the law (including, but not limited to, businesses, data and information brokers, and government entities, etc.), definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.), what constitutes a breach (e.g., unauthorized acquisition of data), requirements for notice (including timing and method of notice, and who must be notified).
It is important to note that some states make exemptions for encrypted information, which is considered less likely to be usable to hackers. All the more reason to bolster security across your computer network.
Prepare in Advance
When a data breach occurs, it sets in motion a complex barrage of administrative, regulatory, legal, and enforcement entities governed by laws and regulations that vary by state. One thing is certain: company executives, legal advisors, technical people, and security teams must collaborate and coordinate to create an effective response. This calls for planning in advance, including the creation of a “playbook” of steps to be taken in the event of an incident.
If a security breach is attributable to a failure by a company to take reasonable steps to implement a robust e-security architecture, the consequences and costs may be more serious. Appropriate measures (technical and organizational) must be taken by data controllers against unauthorized or unlawful access to personal data and against accidental loss or destruction of personal data.
Increasingly, the risks extend to corporate management and board of directors. According to Corporate Board Member magazine, “boards face significant indirect legal risks. For example, public company boards are under increasing pressure from the SEC to oversee cyber risks.”
Conclusion
If your business holds customers’ personal data, it may be vulnerable to data breaches by hackers who seek to steal personal information and use it fraudulently. The “digital theft” of such valuable information could then lead to liability claims made against your company, putting your reputation in serious jeopardy and resulting in serious financial costs.
Peter Regan, Esq. is a Partner at Sayer, Regan & Thayer, LLP. He can be reached at 866-378-5836 or via email at pregan@srt-law.com.
These materials have been prepared by SRT for informational purposes only and are not intended and should not be construed as legal advice.