The Role of Legal Services Before and After a Breach
Data security breach litigation is quickly becoming one of the most talked-about issues in the legal world – and for good reason. From the high-profile squabbling between Target and its card-issuing banks over who’s picking up the tab from its massive customer information breach to the class-action lawsuit over Anthem’s record-breaking breach earlier this year, there is sure to be a lot more litigation over information security breaches in the years to come.
About a decade ago, the data broker ChoicePoint’s breach of more than 160,000 consumer records established itself as the first case of legally required breach notification thanks to a law passed by the State of California in 2003. Since that case, 47 states have established breach notification laws, all with different provisions, required actions and definitions.
The state of Connecticut is now leading the charge on more stringent breach laws, including shortening the window of time in which companies can disclose breaches without state scrutiny. Following Connecticut’s lead, eight other states have revised their breach notification laws with California and Illinois likely to amend their laws again by early fall.
Riding on the popularity of this so-called ‘second generation’ of breach notification laws, many legislators in Congress have banded together to work on a unifying national law on breach notification. It’s unknown whether a national requirement will ever come about due to the nature of states’ rights versus the authority of the national government, but that’s absolutely no reason not to prepare for such an event.
As time goes on and society becomes more and more digitally dependent, information security breaches should be treated as eventualities rather than possibilities. Make sure your company has processes in place dealing with breach notification, and more importantly, a plan to act on a data breach complete with actions to minimize business losses. While forming or taking a second look at that plan, consider the following:
- Examine and update contracts with third-party service providers and business consultants to make sure their security measures are appropriate to the size, scope, industry and purpose for the information they have on your company and your customers and that those procedures are properly maintained.
- Review and update documentation retention policies to ensure that personal information is not retained physically or on your servers longer than necessary. Make sure that unnecessary records are destroyed in a secure manner.
- Run an audit on your own enterprise’s security measures to ensure that all information being collected and stored is appropriate and necessary in relation to running, maintaining and growing your business.
- Update your organization’s incident response policies to reflect the most current laws surrounding data breach notice deadlines for the states you do business in. Also make sure those updated plans include measures for free customer identity theft protection and fraud monitoring services as appropriate to your state’s breach requirements.
Stay prepared for a breach and work in conjunction with your organization’s general counsel to stay updated on breach notification procedures to ensure a proper response.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.