By: KARL ROBE//April 2, 2012//
By Karl Robe, Rebecca Grassl Bradley and Andy Schlidt
Data security breaches present a crisis situation faced by a growing number of companies and organizations both small and large, with no end in sight.
Organizational inattention to information security leaves businesses and their customers vulnerable to privacy violations, fraud, financial loss and reputational harm. Therefore, companies cannot blindly rely on their information technology staff or third-party contractors to secure sensitive data.
Ultimately, company leaders bear the responsibility to recognize the risks and take steps to prevent data loss or theft by implementing a comprehensive information security program, which includes incident response plans to minimize the adverse affects of a breach on the company and its customers.
While some studies indicate consumers are becoming numb to data breaches because responsible companies are paying for any financial effects legislative and regulatory bodies are becoming increasingly concerned with the solvency of companies, shareholder impact, identity theft and many other issues associated with data breaches.
Consider the case of a prominent health insurer, which in a publicized announcement recently paid $1.5 million to settle violations of HIPAA’s Privacy and Security Rules, arising from the theft of unencrypted hard drives containing protected health information of over 1 million individuals.
No industry, however, is immune to data security breaches, especially when companies or their vendors collect and store credit card data, medical records, financial records, or personally identifiable information.
A study released by the Ponemon Institute in conjunction with Symantec sheds further light on the costs and causes of data breaches:
How to respond to a data breach
Upon becoming aware that a data breach has occurred, the affected company must act quickly to contain the breach, which requires an understanding of its origin and cause.
Consider whether law enforcement should be notified, with consideration given to contacting the FBI or the U.S. Secret Service rather than a local police department that may not have requisite resources to investigate the breach.
Forensic analysts may be retained to investigate and remediate the breach while preserving data that may be crucial for law enforcement to pursue the hackers who committed the breach.
Public relations professionals may be retained to handle media communications, particularly if the company is required by law to publicly report the data breach.
Insurance policies should be reviewed to determine whether coverage may exist for damages incurred by the company directly or by third parties as a result of the data breach.
Finally, the company’s contracts with affected customers and contractors should be reviewed to ascertain the company’s obligations to report the breach to those parties and indemnify them for any losses.
Many states have enacted data breach notification statutes that require companies to report incidents where personal information has been released without authorization. Analyzing which state laws may apply can be tricky because the laws are not uniform.
Many statutes impose time frames within which reports must be made. Notifications should be coordinated with law enforcement to avoid adversely affecting any investigation.
Karl Robe counsels attorneys and executives on communications strategies. Contact him at Karl James & Co. LLC by emailing [email protected].
Rebecca Grassl Bradley and Andrew Schlidt are attorneys and co-chairs of the Technology Law practice at Whyte Hirschboeck Dudek SC, Milwaukee. Bradley can be reached at [email protected] and Schlidt can be reached at [email protected].