Today, we are all Kate Upton. There will be a time when your company’s sensitive data will be hacked. The best thing to do is to be prepared when it happens and be able to explain all the measures you took to prevent it from happening in the first place.
In the wake of a massive data breach at a major big box retailer discovered last month, lawmakers proclaimed: “We are concerned that the retailer’s procedures for detecting and stopping operations to steal customer data are inadequate and we call on the [Federal Trade] Commission to investigate whether [its] security procedures meet a reasonable standard.” Unfortunately, those businesses that are most susceptible to data breaches – big box retailers, banks, health care companies/providers and hotels – are left wondering what a “reasonable standard” actually is. We are also left to wonder whether the “reasonable standard” is equally applicable to the prevention of a cyber-attack on the one hand and the identification and response to a cyber-attack on the other.
In the absence of time-tested federal and state regulations on cyber-security, most companies are flying blind. A recent Deloitte Touche analysis found that fewer than half of survey respondents had a response plan in place to address a cyber-security breach. As previously discussed on this blog, a growing number of companies are turning to cyber-insurance. Unfortunately, the existence of cyber-insurance does not absolve a company of its obligations to protect its customers’ data and insurers have already begun litigating to invalidate policies because of the policyholders’ poor security practices.
In the real world, there is no such thing as perfect cyber-security protections. Ultimately, the best protection for a company is to implement measurable and consistent steps to make a breach less likely and to have a plan in place to deal with the breach when it occurs. This would likely include formal (and regular) cyber-security training, strong control mechanisms over mobile devices, intrusion protection and detection software and encryption technology on devices when possible. It should also include hiring an external IT security consultant and (of course) an attorney to review these procedures and assist in their implementation.