The news regularly reports on data breaches and cybersecurity. While we read about the biggest breaches – Home Depot, Target, Anthem, JP Morgan, Wyndham – probably every business has been hacked and will be hacked again. According to a 2015 IBM study, the average cost of the 350 major data breaches it studied in 2014 was $3.8 million. This is an issue that demands everyone’s attention.
This article is a business and legal primer to advise on how to protect against, and respond to, cybertheft. It’s neither legal advice nor a detailed how-to manual. Rather, it’s a guide for developing a data privacy protection and cybersecurity plan appropriate to any business.
The simple message is this:
- Develop a team comprised of your specialists in computer and information technology (IT), insurance, risk management, law, and public relations. (In a small business, the owner may wear most of these hats.)
- Develop a written plan to:
- protect your company and the private information of your customers, and employees;
- respond to a breach; and
- restore your system.
- Implement the plan company-wide — real implementation, not lip service.
At Shumaker, we have experts in this area, and we’re glad to help you develop and implement a policy appropriate to your business, and to do so with the maximum protection of confidentiality under the attorney-client privilege.
In our discussion below, we’ve italicized some words commonly used in discussing cybersecurity issues to help familiarize you with them. And we’ve added footnotes for further reading on standards and legislation we discuss.
1. Who does this apply to?
Government data privacy protection laws apply to any business that has employees or customers. The regulations relate to protecting your employees’ private data, primarily health and financial (known as personally identifiable information or “PII”), and remediating any harm to the employees or customers stemming from a breach of the system.
Another policy applies if your business is part of the nation’s critical infrastructure (for example, energy, transportation, chemicals, manufacturing, and defense). As a matter of national security, the federal government wants to make sure that these businesses continue to function and are protected from attack and data piracy.
Beyond these legal requirements, your business needs to protect its operations and goodwill against malicious hacking or ransomware that aims to crash your system, steal your proprietary data, and destroy your goodwill.
Follow the link to read more of, “Data Privacy Protection and Cybersecurity: A Business and Legal Primer authored by partner Peter Silverman, associate Matthew Spaulding and partner Douglas Cherry of Shumaker, Loop & Kendrick, LLP.