There is no doubt that electronic data breaches are a hot topic. The recent breach of Morgan Stanley’s customer data is a prime example and chilling reminder that businesses, no matter the amount of security measures, are at risk of an electronic data breach. Indeed, as nearly every state has passed its own set of unique electronic data breach laws, electronic data breaches are becoming a much larger liability concern for companies, in terms of both financial and reputational harm.
In 2014, Kentucky passed KRS 365.732 and joined 46 other states in quantifying and qualifying what constitutes a data breach and the obligations that arise from a breach. Like most states, Kentucky’s law does not include breaches of financial or health information which are covered under federal law in the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.
Because of this increased liability, businesses should be proactive in trying to manage risk in the event a data breach occurs.
Is My Company at Risk for an Electronic Data Breach?
While the news has focused on large electronic data breaches of major retailers, electronic data breaches of a smaller scale are much more common. Even more problematic may be the reputational loss of consumer trust and confidence resulting from an electronic data breach. Any business or organization that electronically collects and/or stores personal information is susceptible to a breach. Consider the following five questions:
- Do you have customers’ or potential customers’ information stored electronically?
- Do you store or transmit electronic files with customers’ information?
- Do you have client information stored on a cloud or with a third party vendor?
- Do you process credit card transactions?
- Do you have wireless networks in your office?
If you answered yes to the first question, you are at risk of an electronic data breach. Answering yes to any of the questions that follow greatly increase your risk for a data breach.
What is a Data Breach?
In general, a data breach occurs when there is an unauthorized disclosure of personal information. There is no model rule for what constitutes a breach of someone’s personal information and each state can define what constitutes personal information.
In Kentucky, personal information is defined as a person’s name coupled with a social security number, driver’s license number, or credit/debit card or account number and passcode. However, some states define personal information much more broadly. For example, Texas defines personal information as any “sensitive” information.
A data breach is commonly thought of in context of computer hacking, however, data breaches can occur in a number of more innocuous ways. In fact, most statutes are defined so broadly that a data breach occurs if an employee loses his/her cellphone containing personal information of a customer. As such, most companies today, no matter size, are at risk.
Decreasing Your Company’s Electronic Data Breach Liability
Planning for and proactively adopting preventative measures in the event of an electronic data breach is the most important thing you can do to protect against potential liability. Being prepared can save you time, likely a significant amount of money, and any reputational harm associated with the data breach.
Most state laws require actual damages to bring a claim for a breach of data. Not surprisingly, in reviewing cases in which customers brought a claim for a breach of data, damages were less or non-existent when companies reacted and notified their customers quickly of the breach. (See generally Giordano v. Wachovia Sec., 2006 U.S. Dist. LEXIS 52266, Civ. No. 06-476JBS, 2006 WL 2177036 (D.N.J. July 31, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006).
4 Tips for Reducing Liability Risk
While the type and amount of data a company collects or has access to will lead to varying plans, the following are some general tips that all businesses should know:
#1: Know what type of information is electronically stored. If a breach occurs, the information compromised may not be considered “personal information” under certain state laws. In addition, many state laws do not require action or impose liability if data is compromised that is encrypted. Further, take a hard look at the personal information you are collecting and determine whether such information is necessary to serve and know your customer. If the answer is no, not collecting that data would reduce your liability, as well as save valuable server or cloud space.
#2: Know where that information is stored. Most businesses use “clouds” to store their data on a remote server. Clouds offer different types of data storage, services and security levels. Many cloud vendors actually rely on subcontractors to hold their customers’ information. In many cases, these subcontractors are located overseas making any attempt to seek indemnification for a breach very difficult and expensive.
#3: Be ready to react. Have your notification template in place to communicate and know who is making that communication if a data breach occurs. Figuring out what should be done and communicated and who should lead this charge should occur before a breach occurs. Not having a plan of action will delay a reaction and likely lead to increased liability and reputational harm.
#4: Test your systems and your plan. A data breach does not have to mean that you breached the duty of care to your customers. Showing that you are using the best in class systems to prevent a breach and that you test your systems for a breach in a consistent manner, will assist in showing that you are meeting your duty of care owed to your customers.
Not only will the steps above help in limiting any liability your company may face if a data breach occurs, but it will also likely allow you to identify potential gaps in your data security, therefore, preventing a breach from occurring. Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is important.
If you do believe customer data has been compromised, you should contact an attorney immediately to help you understand what duties you may have to notify and further protect your customers’ information. As stated above, reacting quickly can help reduce any liability that may be caused by the breach.