Did you know there were almost 125 million data breach cases in the fourth quarter of 2020? And in 2021, the average number of cyberattacks and data breaches rose to 15%? Thankfully, according to Statista, the number of cases is down to 52 million as of the second quarter of this year.
Betanews, a leading news provider in the IT space, reports that cybercriminals can penetrate an alarming 93% of the company networks. And that many security executives self-report that they aren’t prepared for future threats.
"Data breach" is a broad term that refers to a security violation where people steal protected, sensitive, or confidential data from a network. Private information gets copied, transmitted, or used by unauthorized individuals. Sometimes employees inadvertently commit data leakages or disclose information to people that shouldn't have it.
A data breach can have a massive impact on business. First, it can ruin your company's reputation, affect customer relationships, and impact your bottom line. It also creates financial risks and legal ramifications and, in extreme cases, can even lead to a business shutdown. That's why it’s crucial to set robust security measures to protect your company.
This article provides common sense legal advice for preventing and handling a data breach. None of the contributors to this article are lawyers, so for more detailed information and advice specific to your company you should contact your company's attorney, in-house counsel, or seek the advice of a legal expert.
A key step to protecting your business from data breaches is to recognize the laws that govern them, collectively referred to as Information Security (InfoSec) Law.
The Key Laws on Data Breach
InfoSec Law focuses on data protection. It also covers legal requirements for business security and addresses liabilities arising from security breaches.
There are a number of laws that together form the body of InfoSec Law. The most important InfoSec laws are:
- Sarbanes-Oxley Act: SOX was passed to protect investors of publicly traded corporations following the Enron scandal. It covers publicly traded corporations to address financial scandals. It seeks to address fraud in the finance departments of public companies.
- Gramm-Leach-Bliley Act: GLBA regulates the Banking, Financial Services, and Insurance (BFSI) industry. It sets privacy and security requirements for banks, creditors, and financial institutions.
- Federal Information Security Management Act: FISMA caters to federal agency information systems. It promotes security by setting viable programs. It also reports to the Office of Management and Budget.
- Fair and Accurate Credit Transactions Act/Red Flags Rule: FACTA focuses on consumer risk protection.
- Health Insurance Portability and Accountability Act: HIPAA caters to the healthcare industry. It seeks to protect the privacy and security of patients’ health information.
- Cybercrime Laws: Federal and state cybercrime laws prohibit unauthorized access to computer systems. They also penalize those who deliberately damage computer systems and spread malware.
- EU General Data Protection Regulation: GDPR seeks compliance from companies collecting personal data from citizens of the European Union and European Economic Area.
9 Legal Tips: How to Avoid and Deal with Data Breach
Let's get down to the nitty-gritty of data breach prevention and handling.
Data Breach Prevention:
They say that an ounce of prevention is worth a pound of cure.
Here’s how to avoid a data breach in your company:
1. Identify legal requirements and set clear data breach policies
David Aylor, Founder & CEO at David Aylor, believes that prevention is always better than cure. And this applies to data breaches.
Start by understanding the InfoSec law (refer to The Key Laws on Data Breach) and determine the legal requirements for your industry. Then, create data breach policies for your business.
Aylor added, "It’s better to meet legal requirements than to handle legal cases. We advise our clients to check legal requirements before making business decisions."
2. Orient and train employees on data breach laws and policies
Once you’ve set clear policies on data breaches, get your employees involved. They are on the front line performing day-to-day operations, and their actions will likely cause or prevent a breach.
Every newbie must undergo proper orientation on security laws. Train them to protect business data and customer information when performing their jobs.
Most importantly, ensure you conduct regular updates on data security. The goal is to remind regular employees and avoid habits that put their accounts at risk.
3. Restrict access to business data and customer information
There’s no denying the importance of cybersecurity in digital marketing and business. The last thing you want to happen is to leak data and information.
But when promoting products or services, your digital marketers expose information to target consumers. You also release data when dealing with stakeholders, be they employees, customers, or vendors.
To avoid a data breach, it is best to restrict sharing information. Determine data meant for public consumption; only allow such to reach your customers.
Only authorized personnel should have access to sensitive information. If you need to share such data with stakeholders, have confidentiality agreements ready.
4. Secure business networks and encrypt sensitive data
When it comes to data breach prevention, cybersecurity is crucial. This entails protecting your systems and networks from cyberattacks.
Aside from restricting data access, secure your online business against cyberattacks and encrypt confidential information so that it won't reach the wrong hands.
Here are some TFC security recommendations:
- Secure your systems and networks (firewalls, VPNs, data restriction, monitoring, and regular updates).
- Secure physical areas and limit access to authorized employees only.
- Create a breach response team (involve data forensics personnel and legal counsel).
- Stop the additional loss of data (like checking sensitive data posted on websites)
5. Have robust password management and authentication process
Data breaches usually happen due to weak passwords set by employees and management. As such, a strong password is crucial to your data security. It usually consists of letters, numbers, and non-alphanumeric characters.
There should also be a robust authentication process in place. Make sure to use two-factor authentication whenever possible. This requires users to enter the second piece of information for identification. Providing the correct information gives them access to the system.
Lastly, it’s best to use a password management tool for organization and data protection.
A data breach can strike anytime and anywhere. When it happens, follow our key steps below for proper handling. Here’s how to deal with a data breach effectively:
6. Start with incident reporting and urgent mitigation
Incident reporting is crucial. And when it comes to this, awareness is key.
But beforehand, you should train all employees to identify potential data breaches. More importantly, set mechanisms and procedures for incident reporting, investigation, and proper action.
Mark Pierce, CEO of Cloud Peak Law Group, suggests prioritizing the mitigation steps. "Mitigation includes fixing or closing vulnerable points and retrieving lost or misappropriated information. You also have to strengthen your current safeguards or add new ones.”
7. Conduct internal investigation
After incident reporting, the next step is to conduct an internal investigation. This vital process has two business objectives:
- Perpetrator Identification: It helps you identify the people legally accountable for the breach. It also assists you in determining the employees responsible for the vulnerability points.
- Security Improvement: It helps you see how a data breach happened, giving you insight into your business vulnerability points. That way, you can address them by fixing networks, training employees, and taking other preventative measures.
8. Report data breach with legal enforcement authority
The most crucial step is to report a data breach to the legal enforcement authority. It will conduct its own investigation and go after cybercriminals or other perpetrators.
Provide the legal enforcement authority with information from your ongoing internal investigation. Make sure to collaborate with them to expedite the case. Ultimately, this will help you identify the people legally liable for the data breach.
9. Have accountability for potential legal consequences
A data breach partly holds a business accountable for this. Why? Your company is responsible for securing your network and protecting your consumers’ information. So when a data breach occurs, you are partly to be blamed.
A responsible company takes full responsibility for any legal consequence. Also, you should perform the following:
- Notify the impacted vendors (for violation of confidentiality agreement)
- Inform the affected customers (for identity theft)
- Work with credit bureaus (for stolen social security numbers)
Ensure Data Protection and Avoid Legal Implications
There’s no denying the negative impact of a data breach on your business. Familiarize yourself with the InfoSec law and comply with the security regulations.
Keep in mind that prevention is always better than cure. Consider our recommendations on how to avoid data breaches in your business. But if ever confronted with such cases, follow our key steps to handling them properly.
Ultimately, your company must ensure complete data protection to avoid legal implications.