While we hear these words seemingly every day (and may becoming immune to their effects), the ramifications for the companies that suffer the breach have only become more severe and onerous. As more and more companies collect valuable, and often very personal, data about their customers, the issue of data privacy and security is expanding far beyond companies that are focused solely on data aggregation. For example, clients that offer artistic apps, but collect data about the demographics of theirs users, or health and fitness apps that collect personal health data about their users, all must follow the privacy laws and practices.
The issue of data privacy and security comes up several ways for our clients. Some are the result of legislation, both within the U.S. and abroad (and often our U.S. based clients are surprised to learn that they may need to comply with EU based laws, for example), and others are best practices. This short article is meant to be an introduction to these areas, but is not meant to be a detailed summary. It won’t discuss data security, which you should be very focused on from the outset, but focuses more on things you can do both now and if a breach occurs.
Privacy Policy
If you are collecting data (i.e. name, email address, IP address, cookies, demographics etc.) from your customers, you need a privacy policy in place. This is to request their consent, if needed (under statute or to comply with a third party service such as Google AdSense), and to explain what data you are collecting and how you’ll be using and sharing it, if at all. Without this, you may, depending on the statute, be violating the law, and at a minimum, you are missing an opportunity to communicate with your clients in a way that is transparent. Doing so will create trust and minimize opportunities in the future for someone to allege you are improperly collecting and using data.
Privacy is becoming more regulated in the U.S. and the EU recently passed the GDPR (General Data Protection Regulation) that established certain basic rights that individuals have regarding privacy. Monetary fines for failing to comply with these regulations or not properly responding to a breach situation can be huge (easily in the millions of dollars) so starting off on the right foot with a good privacy policy is a great way to start your protection from the beginning.
Basics that should be included in a privacy policy is your company’s name, what information you are collecting, how you are collecting it and how you’ll use it, whether is it optional or if opting-out is an option and how you are keeping their information secure. We often draft privacy policies for our clients or review existing ones to make sure they are appropriate for each client’s individual situation.
Insurance
If you are collecting personal information, and definitely if you are collecting personal health information, we strongly recommend that you purchase cyber insurance. This insurance will help provide coverage if there is a breach and usually will cover attorney’s fees, mitigation costs (breach notification, credit monitoring etc.) that may be mandated either under statute or in a contract with your customer or vendor. We recommend that you get as much as you can afford, as the cost for mitigation alone can be very expensive. For example, if you are holding 100,000 users’ information and it costs $7.00 to notify and offer credit monitoring to each of them that is $700,000 in costs alone (excluding lawsuits, fines, legal fees etc.).
Recommendations
After you have a privacy policy and insurance in place, if possible, you should set out an “incident response plan” that involves all the relevant people (management, IT, legal, insurance, PR etc.) who be involved if there is a breach. We recommend against having it be too “aspirational”. You don’t want to later produce a plan only to have that plan attacked because you never followed it. It should be as simple as possible. Have all key phone numbers and contact people in place and know what order you’ll call each person in the chain. It’s best, ideally, to have those accessible offline so that if your entire system is compromised and you cannot get into your database (denial of service attack, ransom ware etc.) you can still contact the key individuals.
You should also review your vendors each year to figure out what type of security risk they represent as far as security of your data. Are they holding it in an unsecure manner? Do they have access to your critical systems but don’t have processes in place to make sure only authorized individuals are accessing your system?
Ideally you’ll also have internal policies about how people should communicate if a breach occurs. You’ll need to decide who is authorized to speak to the press, customers and vendors and if so, through what channels.
If you do suffer a breach, the first thing to do is to take a deep breath and not panic. This is critical, as panicking and rushing a response can be disastrous to your business. Each day is different than the one before and how you feel in the first few hours will be different than a day or two later. This isn’t to say you don’t need to act quickly, which you will since some statutes, such as the GDPR, or contractual arrangements require notice within a short time frame (often 48-72 hours). However, before doing so, take the time to contact the right people to help you figure out the best way to proceed.
If you have insurance you’ll want to consider tendering it to your insurance company as soon as possible, as often they won’t pay for legal fees incurred before you do so.
It’s also important to recognize that not every “breach” will result in a notice obligation or liability. Only after analyzing what was accessed, how it was accessed, whether any data taken, destroyed etc., will you know what you need to do.
Finally, make sure to figure out quickly whether it is a live leak (i.e. ongoing) or if it occurred six months ago. How you will respond will be very different depending on the answer to this critical question.
In sum, there are steps you can take now to minimize your exposure, comply with the law, build client trust and reduce your cost, stress and anxiety in the future if a breach occurs. Remember that many companies have gone through this and come out the other side and with the proper planning and response you will to if ever faced with a breach.
Please contact Heather Sapp at (hgs@sfcounsel.com) or Brandon Smith at (bds@sfcounsel.com) for more information on privacy policies and data privacy.
– Written by Brandon D. Smith