Data Breach 411: Are You Prepared?

March 30, 2015 – In The News
Inside Counsel

"Reprinted with permission from the March 30 issue of Inside Counsel . (c) 2015 Summit Professional Networks. Further duplication without permission is prohibited. All rights reserved."

Scott Vernick, a partner with Fox Rothschild, is a panelist on the “Data breach 411” panel at Inside Counsel’s 15th Annual SuperConference, held May 11-13 in Chicago. Ahead of the panel, Inside Counsel caught up with Vernick to discuss the current state of cyber-attacks, building a data privacy plan from scratch, and more.

Inside Counsel: It seems that every other day we’re hearing about another major cyber-attack. Are data breaches truly becoming more prevalent, and if so, what about the current marketplace is making companies so vulnerable to attack?

Scott Vernick: Data breaches have plagued companies for years, and no U.S. sector is beyond the reach of cyber-attacks. In 2014 alone, breaches hit household names hard: Target, Home Depot, Community Health Systems, the U.S. Postal Service and, of course, Sony. 2015 may be the year of the health care data breach—see Anthem and Premera. These days, there are two types of companies—those that have been hacked and those that don’t know that they’ve been hacked. The accumulation of vast amounts of potentially valuable data, aggressive and inventive cybercriminals and an inattention to data security have combined to create a ripe environment for attacks.

IC: Most companies have a data privacy plan these days, but for companies starting on the ground floor, where’s the best place to begin?

SV: A comprehensive data security audit is a must. For in-house counsel, whether your business is large or small, this means knowing what data you collect, who has access to it and how long it’s kept. As a next step, businesses should develop and implement outward-facing and internal privacy policies that address, among other considerations, the collection, access, storage, transfer and disposal of proprietary, confidential and otherwise sensitive data. These policies should reflect current federal and state regulations, along with applicable regulations in other countries. Further, every company should develop an incident response plan to address cyber-attacks, which includes an interdisciplinary first response team to implement the plan.

IC: If you’re a GC, who’s a part of your data privacy team? Who are the people you want to have available to turn to both before and after something goes wrong?

SV: Data privacy and breach response plans used to be relegated to the IT department. A big “take-away” from recent cyber-attacks is the need for collaborative teams that include information technology (particularly information security), relevant business heads, compliance, human resources and public/investor relations. Outside legal counsel can be instrumental in developing a strategy for breach notification, regulatory investigations and litigation.

IC: What’s one key element of a data privacy plan that many in-house counsel seem to forget?

SV: A data privacy policy is not the same as a breach response plan—and post-breach is a critical time for a company’s reputation. Potential “fall-out” needs to be addressed comprehensively and thoughtfully using what I call “managed transparency.” Be upfront with regulators, consumers, employees and shareholders, and do that in a timely way, not months after a breach. The recent launch of information-sharing platforms that enable companies to cross-share cyber-crime information complicates the planning process. Companies need to address use of these platforms in privacy plans before employees participate or post. Sharing the wrong information could violate federal, state or industry regulations. Even worse, the information-sharing platforms could be targeted by cybercriminals, resulting in the exposure of privileged company information.

IC: Some in-house counsel are still slow to get on the data privacy bandwagon, seeing it as an IT issue or something that isn’t worth the time. What would be your argument to a GC that he/she should take a hands-on approach with data privacy?

SV: My response to any GC with that belief would be to show him or her a letter from a state attorney general—or, as in some cases, the attorneys general of multiple states—mandating responses to detailed questions as a result of a data breach. I would tell the GC that not knowing whether my company’s data is secure—whether firewalls are working or if there have been small-scale hackings—would keep me awake at night. I’d say that, based on my experience, a company’s monthly IT security assessment is, next to its financial report, the most critical piece of information a GC can have. And then I’d ask whether they are ready to respond to that letter, whether they know how secure their data is and if they read their company’s last data security assessment.

Click here to view the full article.

"Reprinted with permission from the March 30 issue of Inside Counsel . (c) 2015 Summit Professional Networks. Further duplication without permission is prohibited. All rights reserved."