Computer hacking and data security became central issues in the 2016 presidential election as a result of several, high-profile data breaches. Although the public may have been surprised to learn how vulnerable electronic data actually is, corporate chief legal officers regularly toss and turn at night worrying about their organizations’ data security. According to the Association of Corporate Counsel’s 2016 Chief Legal Officer Survey, data security has ranked among the top three concerns of Chief Legal Officers for several years running. The ACC survey found that twenty-two percent of CLO’s experienced a data breach within the last two years. Astonishingly, forty-nine percent of healthcare CLO’s experienced a data breach within the last two years, followed by forty-five percent of education industry CLO’s.
Data breaches can be extraordinarily expensive. Response costs can quickly mount into the millions of dollars. Resulting government investigations can lead to significant legal expenses, as well as potential fines. However, the damage will likely go well beyond the initial financial costs. A high-profile data breach can inflict significant damage on a company’s brand, impacting the bottom line far more than the initial legal and investigative costs. Such damage may take years to repair. Beyond the financial damage, a high-profile data breach can often wreck the careers of CEO’s, CLO’s and information technology professionals.
So, the question becomes, how well-prepared is your organization for a data breach? Advance preparation is crucial. Waiting until a data breach is discovered is a recipe for disaster.
Preparing for Data Breaches
To reduce exposure in the event of a data breach, your company must prepare for a breach in advance. This includes instituting security and prevention measures, as well as creating an incident response plan, in the event a breach occurs. In upcoming posts, I will offer help on both fronts. These posts will examine the following topics, all of which your organization must consider before a data breach occurs:
- Has your company taken “reasonable security measures” with respect to data security?
- Is your company collecting and keeping sensitive information unnecessarily?
- Are your vendors and service providers a weak link in your data security plan?
- Does your organization have an up-to-date incident response plan?
- Has your company purchased adequate insurance covering both the response costs and resulting liability?
- Have you prepared your board of directors for a data breach?
I hope these posts prove helpful and would love to hear how your company has prepared for, and responded to, a data breach.
Photo courtesy of Zakwitnij on Flickr.