This is the third and final article in a three-part series aimed at assisting companies in implementing a data privacy and security program. The first article addressed the importance of adopting such a program, how to put together a good data privacy and security team, cataloging your company’s data and devices, and understanding the data security risks your company faces. The second article discussed limiting data collection and retention practices to your business’s needs, safe disposal methods, securing the data your company collects, monitoring for potential breaches, sharing data with third parties, employee training and employees’ use of personal devices at work.

Adopt a written privacy policy that accurately reflects your company’s practices

Most companies doing business online are required by various state laws to have a written privacy policy. Even if not strictly required, your company should adopt a privacy policy that accurately describes your company’s practices in collecting and using personal information. California’s attorney general and the Federal Trade Commission (FTC) have brought complaints against companies either for lacking a privacy policy altogether or for failing to describe accurately in their privacy policies their actual data collection and use practices. Your organization’s privacy policy should describe in plain language what your company does with the data it collects, including whether your organization shares consumer data with third parties. The policy must be conspicuously posted and accessible on the company’s website or app.

Create a response plan

If a data security breach occurs, you want to be able to respond promptly and authoritatively. A response plan should identify the persons responsible for its implementation, and it should include a thorough assessment of the nature and impact of the breach. How did the breach occur? What data was obtained? Was it encrypted? Whose data was impacted? What time frame does the data cover? How sensitive is the data? Could misuse of the data lead to identity theft or fraud?

Contain the breach as soon as possible and take steps to prevent its recurrence. Employ cybersecurity experts to determine how the breach occurred and help craft a fix to prevent a repeat occurrence. Until the extent of the breach has been determined, avoid communicating electronically over your company’s network as it is possible the cybercriminals who breached your system can monitor such communications and work around any fixes you devise. Each member of your data privacy and security team should have a list identifying persons to contact by telephone in the event of a breach to ensure prompt implementation of your response plan.

Keep an accurate record of what happened and what steps were taken to remedy the problem. Assume that record will be made public at some point, possibly in litigation. The response plan should also include a procedure for notifying all persons whose data was affected.

Promptly report data security breaches

Most states require notification of persons affected by data security breaches. Many also require notification of the state attorney general. Each state’s law differs so it is essential to engage legal counsel to ensure compliance. Similarly, federal law (HIPAA) requires notification of breaches impacting personal health information, and the FTC has urged Congress to pass legislation requiring notification of consumers affected by more general breaches.

The primary purpose of many state notification laws is to enable consumers to protect against identity theft and fraud. Thus, if the data acquired is likely to include data that will enable identity theft or fraud, such as social security numbers, account numbers, birthdates, names and addresses, then make sure your written notice is explicit and recommends steps to protect against identity theft. In certain cases, it might be prudent to offer free credit monitoring services and to recommend that affected individuals change passwords, institute credit freezes, notify credit bureaus or contact their credit card service providers. Such measures combined with a reasonable data privacy and security program may insulate your company from liability.

Contact legal counsel for information regarding various states’ notification laws that apply to your company and for guidance on drafting appropriate notifications and responding to follow-up questioning from regulatory officers, which is becoming increasingly common in response to breach notifications. You will also want to coordinate with legal counsel to position your company to best respond to the nearly inevitable barrage of class action lawsuits.

Imagine your company suffers a breach, you have notified consumers and various state attorneys general of the breach, and the attorneys general or members of the media have responded with questions. Who will answer their questions? Appoint an effective communicator to respond to regulatory and media inquiries regarding the breach. Consider whether it makes sense to retain a public relations firm to handle media inquiries, which should only be done under the direction of legal counsel. And keep in mind that anything you say can and will be used against you by class action plaintiffs’ attorneys.

Document your company’s data privacy and security program

The best defense to a class action lawsuit sparked by a data breach is a well-articulated, well-reasoned and fully implemented data privacy and security program that outlines all policies and procedures impacting data privacy and security. When drafting the program, keep in mind its purpose: to educate regulators, rebuff plaintiffs’ attorneys and inform other third parties about the extensive efforts your company undertook to craft a robust data privacy and security program. Not only is sensitive data at risk, but so too is your company’s reputation for taking seriously its obligation to protect sensitive data. Be sure to involve legal counsel in drafting the program to ensure it complies with the patchwork of laws in the United States and any other country where your company does business. Once the program is in place, revisit it periodically to make sure it remains current in light of changes within your company and evolving data security risks.

Your written data privacy and security program should contain the elements described in this three-article series, as applicable to your organization, including:

  • Catalog of the types of data collected, used and retained
  • Data flowchart explaining how data is obtained, where it is stored, and how it is used
  • Description of disposal practices
  • Catalog of devices containing sensitive data, along with risk assessments
  • Data retention policy as modified by any litigation holds in place
  • Description of security measures employed
  • Employee training program and rules regarding employee access to data
  • Security monitoring plan
  • Breach response plan
  • Breach notification plan

Keep good records of your analysis and program implementation

Anyone who follows the news knows that data breaches are common. Based on information it receives in breach notifications, the California attorney general publishes an annual report regarding cybersecurity breaches. The most recent report reveals that 131 data breaches were reported to the California Attorney General in 2012, 26 percent of which took place in the retail sector, and 23 percent in finance and insurance. 55 percent of the breaches involved intentional acts by outsiders or unauthorized insiders; 45 percent were due to a lack of appropriate security measures. Companies with troves of sensitive data should consider acquiring insurance that covers data security breaches.

In the event a breach occurs and litigation ensues, you will want to be able to defend the measures taken to protect sensitive data because regulators are becoming increasingly active investigating breaches and analyzing whether security practices were inadequate. This means it is essential to keep good records of your team’s analyses and decision making regarding data privacy and security. Can you defend your company’s data privacy and security program as representing best practices in your industry? Do documents exist showing that your team engaged in thorough and reasoned analysis when putting together your program?

Imagine your company has been sued because of a massive data breach, and your chief privacy officer is being questioned by regulators or deposed by plaintiffs’ attorneys. If you do not have a chief privacy officer, then who would be the person most knowledgeable to defend your data security practices? Imagine that person being asked: How did the breach occur? What steps did you take to prevent such a breach? Do you have a data privacy and security program? What did you do to conduct a risk assessment regarding your data security processes? When you implemented data security procedures, what elements did you choose to implement and what did you choose not to implement? How did you make those decisions? Why did you collect social security numbers? Did you test whether your procedures worked? Did you revise them over time to adapt to new threats? Did you monitor your data security? How frequently? When was the last time you tested it? Did you train employees regarding your data privacy policy and procedures? Your data privacy and security team needs to be capable of addressing these and myriad other questions concerning your program.

Most experts recognize that data security is complex, evolving and impossible to perfect in a dynamic business environment. The key to minimizing risk of loss and liability due to a data breach is to be able to show others that your company took the matter seriously and implemented best practices available in light of your company’s resources and the level of risk it faces. Mere adoption of an uncritical cookie-cutter approach borrowed from another company with a different risk and resource profile will not cut it.