While we hear these words seemingly every day (and may becoming immune to their effects), the ramifications for the companies that suffer the breach have only become more severe and onerous. As more and more companies collect valuable, and often very personal, data about their customers, the issue of data privacy and security is expanding far beyond companies that are focused solely on data aggregation. For example, clients that offer artistic apps, but collect data about the demographics of theirs users, or health and fitness apps that collect personal health data about their users, all must follow the privacy laws and practices.
The issue of data privacy and security comes up several ways for our clients. Some are the result of legislation, both within the U.S. and abroad (and often our U.S. based clients are surprised to learn that they may need to comply with EU based laws, for example), and others are best practices. This short article is meant to be an introduction to these areas, but is not meant to be a detailed summary. It won’t discuss data security, which you should be very focused on from the outset, but focuses more on things you can do both now and if a breach occurs.
If you are collecting personal information, and definitely if you are collecting personal health information, we strongly recommend that you purchase cyber insurance. This insurance will help provide coverage if there is a breach and usually will cover attorney’s fees, mitigation costs (breach notification, credit monitoring etc.) that may be mandated either under statute or in a contract with your customer or vendor. We recommend that you get as much as you can afford, as the cost for mitigation alone can be very expensive. For example, if you are holding 100,000 users’ information and it costs $7.00 to notify and offer credit monitoring to each of them that is $700,000 in costs alone (excluding lawsuits, fines, legal fees etc.).
You should also review your vendors each year to figure out what type of security risk they represent as far as security of your data. Are they holding it in an unsecure manner? Do they have access to your critical systems but don’t have processes in place to make sure only authorized individuals are accessing your system?
Ideally you’ll also have internal policies about how people should communicate if a breach occurs. You’ll need to decide who is authorized to speak to the press, customers and vendors and if so, through what channels.
If you do suffer a breach, the first thing to do is to take a deep breath and not panic. This is critical, as panicking and rushing a response can be disastrous to your business. Each day is different than the one before and how you feel in the first few hours will be different than a day or two later. This isn’t to say you don’t need to act quickly, which you will since some statutes, such as the GDPR, or contractual arrangements require notice within a short time frame (often 48-72 hours). However, before doing so, take the time to contact the right people to help you figure out the best way to proceed.
If you have insurance you’ll want to consider tendering it to your insurance company as soon as possible, as often they won’t pay for legal fees incurred before you do so.
It’s also important to recognize that not every “breach” will result in a notice obligation or liability. Only after analyzing what was accessed, how it was accessed, whether any data taken, destroyed etc., will you know what you need to do.
Finally, make sure to figure out quickly whether it is a live leak (i.e. ongoing) or if it occurred six months ago. How you will respond will be very different depending on the answer to this critical question.
In sum, there are steps you can take now to minimize your exposure, comply with the law, build client trust and reduce your cost, stress and anxiety in the future if a breach occurs. Remember that many companies have gone through this and come out the other side and with the proper planning and response you will to if ever faced with a breach.
Please contact Heather Sapp at (firstname.lastname@example.org) or Brandon Smith at (email@example.com) for more information on privacy policies and data privacy.
– Written by Brandon D. Smith