The golden days when information was held only in hard-copy format, and in secure file rooms, is well and truly over. In those times, data breaches would have been hard to come by, as deliberate breaches would have required breaking into a secure filing room – a bold and risky endeavour.
Today’s businesses, both large and small alike, increasingly store most (if not all) of their company data online, either on their own servers or on third-party servers via “cloud” storage. That data will often include not only that business’s own sensitive information, such as trade secrets, but also the sensitive information of their customers.
In late 2015, the Association of Corporate Counsel released the “State of Cybersecurity Report” (Report), which was based upon the survey responses of 1,015 chief legal officers, general counsel and assistant general counsel around the world.
According to the Report, one in four respondents reported experiencing a data breach in the last two years. In the healthcare industry, 56% of respondents said they had experienced a data breach at their current or former employer. In the insurance industry, that statistic was reported to be 36% of respondents. The statistics are sobering, particularly when considering the vast amount of personal information that customers store with their industry providers, and considering that the statistic does not include the data breaches that go undiscovered.
Once sensitive information is stolen, or otherwise lost or misappropriated, it can have far-reaching and costly effects for both the businesses involved and the customers whose information has been stolen. In this regard, on a corporate level, data breaches can result in media reports, brand and reputation damage and loss of clients. On a personal level, data breaches can result in identity theft, loss of finances, and significant difficulty and time spent attempting to recover and secure personal information.
Some further key findings of the Report include:
- Employee error is the primary cause of reported breaches;
- Almost one in three in-house counsel have experienced a data breach at either their current or former employer;
- Cybersecurity insurance is on the rise, both in respect of policies being taken out, and amount of cover being provided;
- Only one in four respondents said that their company has retained a cybersecurity provider to monitor their systems;
- Only one in three respondents said that they have retained outside counsel to assist in the event of a data breach.
Waiting until breaches occur, to protect costumers’ data, is no longer an option. This is particularly true when the longer you wait, or when a breach goes undiscovered, the more damage can be done to both your business and your customers. Businesses should, therefore, ensure that they have taken adequate pro-active steps to ensure that:
- Employees undergo mandatory training and, if possible, are regularly tested or audited to ensure compliance with cybersecurity standards;
- Cybersecurity providers have been retained to implement appropriate safeguards around systems, and to audit and monitor them regularly;
- Cybersecurity providers are required to notify the business in the event of a data breach;
- Outside counsel is retained to assist in the event of a data breach;
- Businesses give serious considerations to taking out cybersecurity insurance to assist in the event of a breach, which could result in serious financial damage.
Whilst the above steps will not necessarily prevent a data breach from occurring, they may assist a business to react more quickly by recovering data and potentially save costs.