There are three principal statutes available to California businesses to remediate breaches of data security. The statutes are the federal Computer Fraud And Abuse Act, 18 U.S.C. § 1030 et seq., the California Computer Data Access And Fraud Act, Cal. Pen. Code, § 502, and the federal Stored Communications Act, 18 U.S.C. § 2701 et seq. For Nossaman LLP’s primer on these statutes see here. Preventing a data breach is obviously preferable to litigating a remedy following a breach. Below is a listing of best practices to protect the security of your data:
- Conduct an annual security assessment using either a third party consultant or in house expertise and establish and implement a security plan and policy.
- Audit third party vendors where feasible, particularly those that provide in-house services such as filing, copying, mailing and production services.
- Periodically change employee passwords and assure that the passwords are complex.
- For remote access to computer systems, have two factor or two step authentication. Two factor authentication is a process involving two subsequent but dependent stages to check the identity of someone trying to access services on your network and systems. An example is use of (a) an ATM card (something you have) and (b) a PIN (something you know) to access one’s bank account at an automated teller machine. Another example is requiring input of a user ID and password and then a single use code or PIN sent to another device such as the user’s mobile phone or tablet.
- Use encryption for data at rest and data in transit. Encryption protects your data and allows client server applications to communicate across a network in a way designed to prevent eavesdropping and tampering. Examples of encryption methods include: encrypting your computers’ hard drives, implementing “Transport Layer Security (“TLS”) for email delivery, and use “Secure Sockets Layer” (“SSL”) VPN connections when connecting remotely to your network.
- Ensure that your software is up to date.
- Have a clearly defined policy in an employee manual regarding confidentiality and use of company information both electronic and otherwise.
- Have employees execute confidentiality agreements at the time of hire.
- Immediately disable logins and electronic password of separated employees.
- Clearly identify trade secret information and limit access to it.
- Formalize agreements in writing with outside technical consultants making it clear that (a) the business owns any software developed, including written materials, (b) the consultant’s access to electronic systems may be terminated at any time and (c) the consultant shall not lock the business out of access to its computer system.
If you experience a data breach despite taking these preventive measures, you should then consider whether you might pursue your remedies under the foregoing acts.