How Legal Counsel Help Minimize the Impact of a Data Security Breach

How Legal Counsel Can Help Minimize the Impact of a Data Security Breach

By Daniel D. Whitehouse, Esq. On January 8, 2014 1 Comment

Just before Christmas, we learned that thieves scored a massive holiday gift for themselves when they hacked into credit and debit card data from as many as 40 million Target customers. Now Target is facing a public relations issue, and it could take a long to recover and restore consumer trust.

The breach came to light, in part, because of government regulations. The federal government and many states, including Florida, have data breach notification laws that require state officials and victims to be notified if financial data or other sensitive information is compromised. Similarly, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires notification if personal medical records and treatment data is compromised.

Guarding Against a Security Breach

The key to minimizing the impact of a security breach isn’t an effective public relations strategy. Preventing security breaches is a much better approach.

The first step is to understand and evaluate your IT infrastructure. How secure is data that flows into and out of your network? How effective is your security system and how closely is it being monitored? Technology vendors such as Microsoft have released best-practice guides for protecting sensitive corporate and customer data. These guides are a good starting point for companies beginning the process or assessing the effectiveness of existing controls.

Every organization should have documented security policies that establish rules related to the use of technology. Security mechanisms such as cutting-edge firewalls, data encryption, and user authentication should be implemented, especially if users can access your network remotely.

The Target security breach is proof that any organization, regardless of size and reputation, can be hacked. This is why a disaster recovery and data backup plan must be established to provide access to mission-critical data if a breach occurs, and a procedure for customer notification must be put in place.

Finally, enlist the expertise of a third-party vendor if necessary to formulate a robust security strategy and comprehensive disaster recovery and data backup plan. Involving an outside entity helps ensure your systems are compliant with industry regulations, monitored around the clock, and tested regularly.

Why Companies Are Turning to Law Firms for Help

When sensitive customer data is compromised as a result of a security breach, lawsuits are common. These lawsuits scrutinize the security procedures of the organization suffering the breach. As a result, many companies are looking to attorneys for guidance in overseeing a number of security procedures and policies.

This benefits organizations in two ways. First, an attorney experienced in technology law and business law can help organizations develop and implement security measures that are compliant with industry requirements and protect customer data. Second, information such as the organization’s security procedures can be protected by attorney-client privilege and, therefore, unavailable to plaintiffs during a lawsuit. For example, by retaining a law firm to conduct an investigation after a breach, some potentially harmful findings could remain private while still complying with the breach notification regulations.

People who make purchases from your company are entrusting you with sensitive data. Respect that trust by fortifying your IT security to prevent a security breach, and develop a disaster recovery plan for a worst-case scenario. If this sounds overwhelming or confusing, turn to a qualified law firm and technology vendor for assistance. The cost of being unprepared can be devastating.