2014 has been dubbed by many as “The Year of the Data Breach.” While data breaches are not new, the recent slew of highly publicized retailer breaches has left companies wondering – If breaches can’t be prevented, why should we do anything different? The following list is based on audience comments and participation during our 2014 “breach mitigation and response” presentation series. In our experience, a bit of debunking goes a long way to help companies prioritize efforts to address data and IT-related risks.
Myth 1 – We don’t have sensitive data
If you have employees, business contacts, consumer website users or customers, then you have sensitive data that is regulated under a patchwork of laws and regulations.
Myth 2 – Data breach mitigation and response is an IT project
Yes, the IT staff implements technical and operational aspects of a company’s technology systems. But breach prevention and response is an ongoing process that is best addressed by multiple stakeholders. Management, lawyers and forensics experts also play a critical role in breach mitigation and response.
Myth 3 – IT and data risk management are not issues for management or the board
IT systems and data involve financial and reputational risks that affect the entire organization. Management sets the tone for the types of attention being given to these issues. And the Securities and Exchange Commission (SEC) recently warned that “boards who choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Go to this Safeguarding Business Alert for more information.
Myth 4 – Outsourcing is a way to avoid responsibility for the data
Outsourcing may physically remove the data from the organization, but it does not remove the legal obligations of the organization that outsources. Whether moving data operations to the cloud or a hosting center, or using third party systems to collect or process information, outsourcing functions involving data assets raise new considerations in vendor selection and contracting.
Myth 5 – Our CGL policy covers us for data breaches
Commercial general liability (CGL) insurance policies provide businesses with a wide array of coverage, but companies can expect that claims based on data breach incidents uniformly will be denied under the new standard forms for CGL policies issued by ISO—the Insurance Services Office, Inc. Go to this Client Alert for more information.
Myth 6 – Our privacy and security officers have these issues covered for us
An internal structure that includes privacy and security officers is the foundation for any data privacy and security program. But they, alone, can’t “make” the company compliant, or “prevent” the company from having a breach.
Myth 7 – Our technology makes us compliant
The market is full of technologies that facilitate data privacy and security, but no one technology is or can make an organization compliant. A holistic strategy is needed to address data risk concerns from technical, legal and operational perspectives.
Myth 8 – Our employees already know what to do
User error is a major cause of data mishaps. Rapidly evolving information technologies and an assortment of hackers finding creative ways to attack have left many users in the dark about current best practices.
Myth 9 – Our IT policies are enough to address data breach mitigation and response
Organizations that do not have, or have not revisited, their privacy and security policies in the past year should do so now. The law continues to evolve at warp speed. New obligations are likely to have arisen, and employees need a guidebook on how to spot problems and who to call.
Myth 10 – Deleting the data and audit trails will keep us from having to notify anyone in the event of a data breach
Without sufficient technical information ruling out the possibility of a breach, companies often are placed in a position of over-notification. In addition, preserving this information may be a legal responsibility.
About Alicia Gilleskie
Alicia Gilleskie leads Smith Anderson’s Data Use, Privacy and Security Practice, and focuses her practice on regulatory and transactional matters involving technology, data privacy and security, licensing and outsourcing, Internet and other intellectual property and commercial matters. Alicia’s clients range from start-ups to Fortune 100 companies in the software, IT, software-as-a-service (SaaS), life sciences, healthcare, Internet, retail, and data hosting industries.
On the regulatory side, Alicia provides counseling on matters such as HIPAA and business associate agreements, Smart Grid technology, FTC Act, GLBA, COPPA, FCRA, FACTA, PCI DSS, audits and investigations, and the creation of policies and procedures. She has handled a myriad of data breach response matters under federal and state breach notification laws. On the transactional side, Alicia’s work includes technology contracting and collaborations involving data hosting, cloud computing and SaaS platforms, health information systems and exchanges, payment processing and IT development and commercialization.