How to minimize the risks of a data breach
Data breaches of major retail chains’ computer systems often make front-page news, creating a wake of customer anxiety, confusion, threats of litigation, the possibility of fines and loss of business.Indeed, most New Hampshire residents are readily familiar with the 2008 breach involving the Hannaford Bros. supermarket chain and the 2007 theft of credit card numbers from retailer TJX Cos. Without question, a data breach has the significant potential to harm a business’ finances, customer trust, and reputation.Data breaches – the unintentional release of secure information (whether electronic or hard copy) to an untrusted environment that places personal information, such as an individual’s name, Social Security number, driver’s license, medical record, financial record and account information at risk – do not only affect “big business,” however.All companies, big and small, are susceptible, and data breaches appear to be on the rise, particularly those involving malicious attacks. Further, all businesses are responsible for complying with federal and state data security and privacy laws and statutory reporting obligations, including that set forth in New Hampshire law.Especially given the rise in data breaches resulting from malicious activities, it is increasingly important for all businesses to take preventive measures to avoid the perils associated with a breach.All businesses should consider taking the following measures in order to minimize the risks associated with a breach:• Create and communicate a detailed information security plan, including incident notification and response which is updated annually.• Institute and keep a “clean desk” policy• Review the security practices for any and all third-party vendors (such as off-site storage companies, web-hosting providers) who may store and/or process your company’s data• Provide annual employee training related to data security• Restrict access to data (hard copy and electronic) that includes personal information to those employees who absolutely must have access in order to do their specific jobs• Do not retain any data that includes personal information that is not otherwise required to be preserved under the law• Ensure that wireless connections are secured using the highest level of data encryption and do not broadcast your company’s wireless identification• Encrypt all portable devices that contain personal information• Keep security patches on all systemsup-to-date• Automatically update malware protection on all systems• Periodically monitor and test technological safeguards to be sure they are in proper working order• Destroy or permanently erase and make unreadable and unusable any hard copy or electronic device that contains personal informationWhile these measures may reduce an organization’s exposure to a data breach, a company that implements these steps may still be vulnerable to attack. A company that ultimately does suffer a data breach should consult with an attorney with the expertise and resources necessary for handling data breaches to determine, for instance, what, if any, law enforcement organizations should be notified, what data privacy and statutory reporting obligations exist, and whether there is any insurance coverage for the event.
In addition, the Federal Trade Commission and the Better Business Bureau maintain sections of their Web sites that provide helpful guidance to businesses who are responding to a data breach.
Courtney Q. Brooks is an associate specializing in litigation and dispute resolution and e-discovery, records and information management in Nixon Peabody’s Manchester office. John G. Roman Jr. is a director in the firm’s Information Law Group.