Priority one: preventing data breaches moves to the top of the corporate agenda.
An October Ponemon Institute study found the average annual cost of cyber-crime was $8.9 million per year per company, with a range of $1.4 million to $46 million. The companies in the study experienced on average 1.8 successful cyber-attacks per week.
The frequency of such incidents has made data security the top legal concern of 55 percent of in-house counsel, according to the 2012 Law and the Boardroom Study by Corporate Board Member and FTI Consulting. A plethora of federal and state laws designed to protect consumers also has helped push data protection to the top of the compliance priority list.
"Regulators understand that there are sophisticated criminals out there, but they also expect you to take the necessary reasonable steps to protect information," says Linda Clark, senior counsel for data security and compliance at Reed Elsevier. "You may not get credit for doing the right thing, but if you don't ... you will almost certainly not be looked upon favorably."
Doing the right thing starts with encryption, the process of encoding information so it is unreadable to hackers. At least 46 states have enacted security breach laws requiring notices to consumers, but if
personal information is encrypted, notice generally is not required.
"Following industry best practices encryption standards remains very helpful in minimizing both reporting requirements and litigation exposure in the event of a data breach," says Michael Pennington, a partner at Bradley Arant Boult Cummings.
The safe harbor only applies if the decryption keys that allow the data to be viewed are not compromised. Therefore, strong key management is essential.
"The company should confirm that the decryption key was not stored with the encrypted data," says Philip Gordon, head of Littler Mendelson's privacy practice group. "As long as that is the case, the data owner would have no notification obligation."
Experts strongly recommend encryption for mobile devices, which are easily stolen. For example, someone stole a laptop computer from a NASA employee's locked vehicle on Oct. 31, 2012, the latest in a series of data breaches at the space agency. The laptop contained personally identifiable information for a large number of NASA employees, contractors and others. According to NASA, although the laptop was password-protected, it did not have whole disk encryption software, which means the thief could easily access the information it held. NASA pledged to have all laptops fully encrypted by Dec. 21, and in the meantime banned all unencrypted laptops from leaving NASA premises.
But encryption isn't always effective in an ever-evolving technology environment. Pennington says data thieves apparently stole the Barnes & Noble data at the point of purchase, before it could be encrypted. According to some experts, even encrypted data no longer deters skilled hackers. "Business and criminals are constantly working against each other to come up with the latest technology to thwart the other in this area," Pennington says.
The basis of any compliance program is understanding what information you have, says Clark.
"For example, do you have personal information? Protected health information (PHI)? Company confidential information? [Then you know,] you can plan and design your program to meet your regulatory and legal obligations," she says.
If the breach involves PHI subject to the Health Insurance Portability and Accountability Act (HIPAA), then the Health Information Technology for Economic and Critical Health Act requires notification within 60 days of the breach discovery. In addition, if the breach affects more than 500 people, the company must notify the Department of Health and Human Services, and if the 500 individuals reside in the same jurisdiction, the company also is required to notify major media outlets.
"By contrast, if the health information is not PHI subject to HIPAA--for example, if it is health information in a database of workers comp claims--state law might not even require notice because only a relatively small number of state notice laws include health information," Gordon says.
Although the details of compliance will vary, the overall culture of the company is the key to a successful data protection program, according to Clark.
"The most important requirements are that you develop a framework that makes sense for your organization and foster a culture where privacy and security are serious matters," Clark says.
The framework should foster a self-critical environment, an understanding that privacy and security are business imperatives, and recognition that feed-back and engagement in the process are important, she adds.
"Of course, the details are what will be used to measure your compliance, so they are no small matter," Clark says. "But without the right framework and culture, you won't know what details apply, and people may disregard them even if they do."
RELATED ARTICLE: QUICK READ
Encryption helps prevent breaches
Law departments should know what information they have
Culture is key to data protection
RELATED ARTICLE: Dumpster Diving
NOT ALL DATA THEFT IS HIGH-TECH. PLS FINANCIAL SERVICES, PLS Group and the Payday Loan Store of Illinois in November 2012 settled a Federal Trade Commission (FTC) case alleging the company disposed of documents containing consumer personal information, including names, Social Security numbers, and wage and bank account information, in trash containers near several locations of the payday loan and check-cashing operation. The trash containers were unsecured and accessible to the public.
Although the FTC did not claim the information had fallen into the wrong hands, such disposal practices violate federal rules protecting consumer information against trash-diving identity thieves.
"The FTC relied primarily upon the Gramm-Leach-Bliley Act's Safeguards and Privacy Rules and the FTC Disposal Rule, but also invoked the FTC Act generally, and other federal laws in the PLS case," says Michael Pennington, a partner at Bradley Arant Boult Cummings.
PLS agreed to pay a $101,500 civil penalty and initiate a data security program with independent third-party audits every other year for the next 20 years.
|Printer friendly Cite/link Email Feedback|
|Date:||Jan 1, 2013|
|Previous Article:||Modernizing IP: Canada sees the first amendments to its Copyright Act in 15 years.|
|Next Article:||Rising up: in-house counsel's compensation increases as their roles evolve.|