By Jennifer M. Barbour, Middleton Reutlinger, Director
No business, either by size or function, is immune to the dangers of a cyberattack. While most news coverage on data breaches involves big players like Equifax, Facebook and Target, a significant portion of all cyberattacks target small to mid-sized businesses. Even cities, like Atlanta, Newark and, most recently, Lake City, Florida, have been subject to crippling attacks. And, according to a 2018 IBM report on cybersecurity resilience, 77 percent of business leaders admitted that they don’t have a formal cybersecurity incident response plan (CSIRP) that’s applied consistently in their organization.
Data at risk
The first step to protecting your business is to understand its risks and vulnerabilities. This includes understanding the data dealt with by your business. The more sensitive the data, such as social security numbers, medical information or credit card numbers, the higher your risk can be.
It also requires you to understand how you store your data and how it can be accessed. To find out if your data is reasonably protected, you can hire IT consultants who are knowledgeable about cybersecurity attacks. They can also recommend ways to monitor your system and data for cyberattacks.
Once your risks and vulnerabilities are determined, reach out to someone to assist you in developing policies and procedures to minimize those risks and vulnerabilities. You should have clear guidelines on how to maintain, access, and transmit data that contains sensitive information. These policies should implement safeguards for avoiding improper access to data because of malware or ransomware. It’s important to work with an attorney to help your company or organization create thorough and implementable policies in order to protect customer data.
The next step is to communicate these policies to your employees. Your employees should also be advised that your business is committed to protecting sensitive data, and that employees will be disciplined if they intentionally or negligently mishandle data.
You also need to outline what will be done in the event of a data breach. You don’t want to be deciding what to do in the middle of a crisis. Businesses should have an incident response plan developed in the event of a cyberattack or breach, including clear policies and procedures about what to do. Often, this includes naming a response team consisting of leadership personnel, IT, and legal counsel.
When a data breach occurs, early involvement of your incident response team, outside counsel, and forensic investigators is often necessary. Most states have laws and regulations requiring notification of affected individuals on tight time schedules, so you have to be able to determine quickly who was affected and what data was compromised.
Law enforcement should also be involved early in a data breach. Businesses should keep in mind that in this age of global commerce, the law applicable to any given affected individual can vary depending on where the individual resides. Just because the data was stored in Kentucky does not mean only Kentucky law applies.
Legal counsel, such as that at Middleton Reutlinger, can assist you in complying with the myriad laws that may be applicable to your company in the event of a breach. Legal counsel may also advise you to offer mitigation services, such as credit monitoring and identity theft protection to affected individuals.
Finally, data privacy insurance is available, although it typically requires purchase of a rider. Inquire with your insurance agent about policies available. Typically, these riders are inexpensive, but need to be selected with your specific needs in mind.
In future articles, we will address other hot button legal issues that could affect how you do business. Stay tuned!