Data breaches are up significantly in 2019, exposing billions of confidential records and costing companies millions of dollars on average per breach. Security experts counsel their clients that data breaches are inevitable as even the largest, most secure systems may be breached. In spite of this environment, many tech companies are woefully unprepared to respond to a cyber intrusion, data breach, or other cyber-related event. Are you ready?
As insurance coverage lawyers, we often work with clients to confront this organization-wide challenge after a breach has occurred. The better approach, however, is to prepare in advance by understanding your risks, building a team, securing and monitoring your data, having a well developed and rehearsed response plan, and tailoring your insurance program to a possible breach. Additionally, having counsel involved throughout the preparation and response process is critical to protect privilege, minimize legal liability, and maximize insurance coverage.
Steps to Prepare for a Data Breach
Step One: Map Your Risks
Your company’s ability to prevent and/or respond to a data breach depends on understanding your risks. Every company should conduct a thorough review of its own processes and systems. Mapping your risks includes determining (1) what types of data you are collecting; (2) when and how that data is being collected; (3) where the data is being stored; (4) how the data is being used; (5) who has access to both the collected data and other information technology systems; (6) how data flows through various systems and who touches what data along the way; (7) what procedural safeguards are in place to protect the systems and data; and (8) what your legal obligations are in the event of a breach with respect to the collection, use, and storage of the various categories of your data, and how can you protect legally privileged information.
Your legal obligations are rapidly changing. Acts such as the California Consumer Privacy Act (effective January 1, 2020) have begun rolling out broad-based consumer data privacy laws that touch on data collection, use and storage. Other states are expected to follow suit. Federal law also protects specified categories of data, such as health information. Moreover, consumer groups are urging Congress to adopt a strict national privacy standard akin to the European Union’s General Data Protection Regulation. Even as a company operating in the tech space with a sophisticated knowledge of programming and software, it would benefit your business to have a privacy law expert at the table during this data mapping stage. Perkins Coie is home to several attorneys with extensive experience in privacy law.
Step Two: Assemble Your Team
Your response team should be assembled and ready in advance of a breach. Internal delays and communication breakdowns can mean the difference between a network intrusion that is quickly recognized and quarantined and a massive data breach that never seems to end and costs millions of dollars to resolve. Identify internal stakeholders in information technology, systems management, human resources, public relations, legal, finance and accounting, as well as appropriate members of senior leadership. You may also include outside experts such as counsel familiar with notification and disclosure obligations, a public relations firm, and technical and security experts.
Step Three: Develop Your Breach Plan
Using your data and risk map, and working with the team you assembled, the next step is to develop and test a breach response plan. Goals for such a plan must include rapid mobilization of your breach team to triage the breach, quick identification of the extent of any exposure, the preparation of any necessary legal notices, protection of the legal privilege of your activities and data, and management of internal and external messaging to maintain control of the situation. It is critical to keep detailed records of the plan and of any necessary documents such as insurance policies, systems information, and regulations that will be required to execute the plan. It is equally important that your company practice and test its plan with some regularity to identify and close any gaps in the plan, including common gaps such as the inability to access core team members in the event that the company email or phone system is compromised.
Step Four: Keep Your Data Secure and Monitor Breaches
Not all companies can afford state-of-the art cyber defenses, but there are many steps businesses can take to minimize the damage caused by a data breach. Companies that want to protect their data well should think deeply about issues such as (1) IT protections surrounding data collection, use, and storage, (2) policies and access points for data, and (3) ways of improving incident detection capabilities. Data security measures must also include taking steps to ensure that any individuals who have access to your data (including members of senior management) are trained in data-security best practices and understand how to recognize and respond to threats such as phishing attempts.
Step Five: Have the Right Insurance
Your company should not overlook the importance of insurance. By mapping your data, you and your insurers should be able to tailor a program to meet your needs in the event of a cyber intrusion, data breach, or cyber-related event. Cyber liability insurance policies vary dramatically in their coverage and are often negotiable. Insurance may cover the cost of (1) investigating and remedying the technical causes of a data breach, (2) retaining legal counsel to respond to and defend against any investigations or demands arising out of the breach, (3) hiring public relations or crisis management firms to manage the client’s external messaging and response, and (4) resolving legal claims resulting from the breach. You might also identify insurance coverage maintained by your business partners and vendors under which you are covered as an additional insured. Involving coverage counsel early in this process will help you get the coverage in place that you need to protect from this significant risk.