By Ronald Breaux and Sam Jo
In its 2013 global data breach study, the Ponemon Institute reported that data breaches experienced by U.S. companies continue to be the second most expensive in the world at $188 per record. The study also reported that U.S. companies had the second greatest number of exposed or compromised records per breach at 28,765, resulting in an average total organizational cost of more than $5.4 million per data breach.
A strong security posture and implementation of a comprehensive privacy and data security plan is the single most effective measure that companies can employ to mitigate the significant costs of remediating a data breach. Companies would be wise to consider the following suggestions to create an effective privacy, compliance and data protection plan or to revise an existing plan to account for changing laws, regulatory requirements and technological developments.
An important first step is to understand what type of information is being collected and what requirements applicable laws, regulations and other internal compliance policies impose.
Identify the Types of Information Collected and Processed
Under current U.S. laws and regulations, the following types of commonly collected information require special handling and protection: personally identifiable information; e.g., an individual’s first name or first initial and last name in combination with a specified identifier such as an account number, Social Security number or driver’s license number; cardholder data as defined under the Payment Card Industry Data Security Standard, and protected health information under the federal Health Insurance Portability and Accountability Act.
Survey the Legal and Regulatory Landscape
Once you have identified the types of information you collect, identify the applicable laws and regulations that pertain to that information and implement precautions to ensure compliance with those laws and regulations. Depending on the size of company and the type of data collected, the scope of this survey may range from simply analyzing applicable federal and state laws and regulations to a more detailed and complex analysis of international data protection regimes, industry standards, audit protocols and internal policies related to vendor contracting.
Gather and Examine Internal Policies
Your company may have data retention and destruction policies, privacy policies, data security procedures, data breach notice plans, new hire and other employee training material, computer-use agreements and internal auditing and monitoring processes. All of these materials should be gathered and considered when developing a data security plan.
Assemble Your Information Security Team and Evaluate Risks
As a precursor to developing (or revising) a data security plan, assemble a team of individuals in your organization responsible for ensuring information security, privacy compliance and data protection, as well as a board member and personnel from your legal, IT, human resources and communications/public relations departments.
Once your team is assembled, generate a list of the risks associated with noncompliance with privacy laws, mishandling of personal data and data breaches. The risks may include loss of customers and business, investigative costs, regulatory actions, fines, litigation, disclosure obligations and unfavorable publicity. Once this risk analysis is complete, identify one or more methods for mitigating each risk. Revisit this risk assessment regularly to re-rank the risks as your company’s organizational controls and systems evolve and improve.
Design and Implement Your Solutions
Take a Privacy-by-Design approach to addressing privacy and data security risks when developing your solutions. In other words, consider customer privacy, legal compliance and data protection throughout the data lifecycle; i.e., collection, processing, storage and destruction.
The following is a representative sample of solutions, techniques, procedures and policies that may be relevant to your company in developing and implementing an effective privacy and data protection plan:
- Develop a System for Monitoring and Tracking Network Access
Implement controls and systems that allow for early detection of network intrusions and the ability to identify the intruders. This can be critical to mitigating breaches or other types of security incidents. Continually coordinate with your IT professionals to ensure that network access is adequately monitored such that suspicious activity on your network can be detected prior to breach.
- Design Effective Employee Policies and Procedures
Employees can be a common cause of data breaches, data loss and data misappropriation if appropriate safeguards are not instituted and enforced. To mitigate these risks, develop comprehensive policies and procedures that dictate which employees have access to particular data; establish how confidential and proprietary information must be handled; include instructions on reporting impermissible uses or violations of policies related to confidentiality and security, and contain onboarding and exit procedures to protect against information misappropriation upon termination of employment. The effectiveness of a data security plan is critically contingent on employee awareness and compliance with the plan. Companies need to promote employee awareness and preparation through regular training and set expectations within their organizations that privacy and data security are taken seriously.
- Develop a Breach Response Plan
A critical part of your company’s data security plan is the breach-response plan, which governs how to respond to a suspected or actual breach. An effective breach response plan should identify the leaders of the response team and should be easy to follow and scenario-based. Consider including checklists in the plan to ensure that proper procedures are followed to collect pertinent information related to the breach and promptly secure the premises and systems where the breach occurred in order to prevent additional data loss. Be sure to immediately involve legal counsel in all aspects of an investigation—including communications about the potential breach, remediation efforts and disclosure and reporting—to ensure protection under the attorney-client and work product privileges.
- Conduct Regular Audits
Regularly measure the effectiveness of your designed solutions, including by revisiting and reevaluating all of the factors that went into developing them. Regular audits should evaluate your information-security practices and whether your company is effectively following those practices, including conducting tests to ensure that employees are properly and consistently implementing the solutions.
Your company can mitigate the high costs of remediating a data breach by having a strong security posture and incident response plan, assembling a proper team to oversee your privacy and security practices, and having a plan for breach remediation. Companies that have previously designed and implemented—or do not currently have—privacy and security plans need to be mindful of the ever-changing laws and regulations as well as the ever-evolving technological safeguards and threats that need to be accounted for.
While this article provides a general overview of privacy and security plan best practices, the parameters of each organization’s privacy and data protection practices will naturally differ in scope and complexity depending on the nature of the organization, the types of information collected and the regulatory environment in which the organization operates.
Ronald Breaux is head of the privacy and data security group at Haynes and Boone, LLP, a firm that advises clients on navigating the privacy and data protection legal and regulatory landscapes, assists in evaluating the associated risks and provides counsel in the development and implementation of effective privacy and data security plans.
Sam Jo is an associate in the Intellectual Property Practice Group at Haynes and Boone, LLP, where he focuses on structuring, negotiating and advising clients on a wide range of outsourcing, technology and intellectual property-related transactions, including: information technology and business process outsourcing arrangements (both on the provider and customer side); technology-driven joint ventures and strategic alliances; development, licensing, cloud computing, manufacturing, distribution, and marketing arrangements, and matters related to e-commerce, Internet law, privacy and data protection.