News// August 2015

Are you Prepared for a Cybersecurity Breach? The Lawsuit that Follows? The Top 5 Precautions Every Business Should Take

Cybersecurity data breaches are an imminent threat to businesses of all sizes. It is not a matter of if your business will be hacked, but when and to what extent. Small and mid-sized businesses are particularly at risk.

Complying with the latest cybersecurity law standards of care will ensure businesses stay ahead the costly financial and legal ramifications of a data breach. These top 5 tips will help ensure businesses of all sizes manage legal and financial risks inherent in cybersecurity breaches.

Precaution 1: Have you prepared for a breach?

All businesses, regardless of size, must develop an action plan. A working plan is vital and requires regular reevaluation as new threats develop. A working plan allows for an efficient and prompt response, decreasing overall costs of the breach. Time is money, and a plan without practice is not a viable plan.

Precaution 2: Have you conducted employee training and implemented policies and procedures?

A business’s own personnel are a cybersecurity threat, no matter how loyal. Businesses must implement training programs and develop cybersecurity policies and procedures in order to comply with applicable standards of care. Unsuspecting individuals fall victim to “phishing” emails or malware infiltration. In some cases, personnel maliciously enable a breach. Ensuring only appropriate personnel have access to sensitive company data and implementing training on security measures throughout all levels of the business is crucial.

Precaution 3: Have you considered BYOD (“Bring Your Own Device”) Risks?

The use of mobile devices in the workplace increases cyber threats exponentially. In a study performed by the Ponemon Institute in 2015 sponsored by IBM, more than 11.6 million mobile devices are infected with malicious code.1 Despite this, many companies are not investing to protect against infiltration through mobile devices. A majority of the businesses included in the study reported that they allow employees to download unregulated apps on company devices, leading to malware infiltration of private information. Businesses must use programs to encrypt and protect mobile devices and develop “BYOD” mobile device policies to ensure private information remains secure.

Precaution 4: Do you have cybersecurity insurance?

There is a growing trend of insurance companies providing cybersecurity policies to assist with what can be debilitating costs of a data breach. It appears obtaining “reasonable” cybersecurity coverage is a trending standard of care in this area of the law depending upon the type of information the business possesses. Insurance can help mitigate some of the monetary burdens following a data breach, but it is never a substitute to developing a working response plan. An attorney well-versed in cybersecurity law can work closely and effectively with the business’s broker to ensure proper coverage.

Precaution 5: Have you considered your use of third-party suppliers?

Businesses often overlook risks associated with the use of third-party vendors. Vendors that have access to a business’s internal processes, such as POS systems, data storage, or other programs containing sensitive data can subject a business to liability for failing to take precautionary measures to prevent data breaches. For this reason, businesses must seek protection not only by contract, but through close monitoring and regular inspection of its vendors. This includes reviewing agreements and examining vulnerabilities of existing vendors.

While the legal standards of care in cybersecurity law are dynamic and less-than certain, we have learned some valuable information from recent cases involving large-scale breaches. Businesses should not go about managing their cybersecurity risks alone. Failing to appreciate and comply with current standards of care may result in liability for negligent or even willful conduct. For more information or further discussion, please contact Lindsay M. Johnson, Esq., Chair of the Cybersecurity and Privacy Law Practice Group.

  • News Release, IBM Sponsored Study Finds Mobile App Developers Not Investing in Security, (19 March 2015).