Data breaches are now so commonplace that many consumers are experiencing ‘data breach fatigue’ – a phrase used to describe the increasing ambivalence consumers feel towards data breaches. But while breaches are more common, it doesn’t make the legal risk they pose to US businesses any less relevant.
In this post, we’ll outline
5 tips for businesses looking to reduce the legal risk of a data breach
Tip 1: Know and understand that human error causes a staggering number of data breaches.
Human error presents a very real risk to your business. In fact, around 85% of data breaches are caused by human error. Common human errors that result in data breaches include:
- clicking on suspicious links and emails,
- failing to secure servers or update software,
- using unreliable networks,
- losing a work device,
- sending an email to the wrong recipient, and
- poor password hygiene.
The risk human error poses to an organization can be reduced through privacy and cybersecurity training and robust privacy processes and policies. It’s important for businesses looking to reduce the risk of a breach resulting from human error to introduce training for employees and independent contractors to minimize this risk – and to mitigate against the legal risk that would follow a breach resulting from organizational human error.
Tip 2: Data minimization remains a key strategy for limiting legal risk stemming from data breaches.
Data minimization comes in many forms but it essentially means that your business should collect, store, access, and use only the data you need for your operations. Avoid collecting or keeping data “just in case” you might have a use for it in the future. Remember, the less data you have, the less data that’s at risk following a data breach. Reducing the amount of data you collect and store can also reduce the amount you prudently need to spend on cyber security, as well as the potential costs of data breach notifications and/or regulator penalties.
Tip 3: Take steps to reduce the risk posed by sharing data with third parties.
Cyber risk is dynamic, with new threats emerging continuously. Your business should implement practices and policies to manage that risk. This should include internal mechanisms to protect the data, such as access control, de-identification, and data minimization. External mechanisms should also be implemented via your third-party vendor contracts.
Your third-party vendor contracts should lay out your expectations with respect to how you want your data used and protected. Specifically, you can include the following protections:
- Make maintenance of particular security standards a key provision in your contract, where failure to maintain those standards constitutes a breach of contract.
- Require that the vendor indemnify you in the event they experience a breach. This will minimize the financial repercussions of a breach, but won’t mitigate harm to your reputation.
- Embed requirements for routine audits in your contracts.
For more information about privacy and third-party vendors, read our earlier blog post.
Tip 4: Know and understand your data breach notification obligations.
Data breach notification laws in the US vary from state-to-state, but all states; Washington, DC; and most US territories have data breach notification laws in place. This highlights just how complex your data breach notification obligations are, since you need to comply with the relevant laws in each jurisdiction.
California’s regulations require businesses and state agencies to notify any California resident whose unencrypted personal information is acquired or reasonably believed to have been acquired by an unauthorized person. See more about California data breach notification reporting here.
To reduce your risk stemming from a data breach, it’s best to proactively prepare for a data breach and to have a data breach notification plan in place before a breach occurs. This ensures you have the information you need available to meet your varying notification obligations.
Tip 5: Consider a proactive disclosure strategy for data breaches.
A 2021 Kaspersky report revealed that enterprises which provided proactive disclosure generally suffered 28% less financial damage than if data subjects heard about the breach via the media. The cost for SMEs was 40% less where proactive disclosure occurred.
While you’ll need to consider your legal obligations and potential legal liability before engaging in proactive disclosure (it’s best to seek advice from an attorney before proactively disclosing any data breach), doing so can minimize the damage to your company’s reputation and may reduce the risk stemming from FTC enforcement. We saw the legal risk of concealing a data breach play out recently in the FTC enforcement against CafePress, where the company failed to notify data subjects, opting instead to conceal the breach and try to ‘trick’ them by asking them to update their passwords as part of an update to a password policy. (Read more here).
If you need help managing your privacy, cybersecurity, or data breach notification obligations, reach out. Our privacy attorneys would love to assist you.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.