10 Steps to Mitigate A Data Breach Before It Happens

But guess what? No matter how far ahead (or behind) your company may be, everyone faces the same bottom-line concerns and negative PR risks. Because even though your company may be “prepared” for the inevitable breach, the media will still run with the headline that “[insert your company name] Suffered a Breach!” It creates buzz, which means it's good news for the press - but not for your company.

While we know a breach may be inevitable, there are ways to mitigate the fallout. Found below are steps a company can take now, before a hack or breach. These 10 action items will prepare your company, help curb the damage – whether it is “real” or “advertised” – and put you in a position to not only respond, but have the right answers when a regulator calls:

1. Governance: There should be formal oversight of data practices. Specifically, your company should have people in place and procedures in place related to the collection, use, storage, and security of data, as well as individuals responsible for oversight.
2. Data Inventory: Your company should conduct an inventory of the type of data that is collected, how it is used, for how long it is stored, and with whom it is shared. Note that sensitive data raises additional concerns. Your company should highlight any collected data that is more sensitive in nature, such as credit card numbers, Social Security numbers, information from children under the age of 13, health information or drivers license numbers, and ensure that such data is managed in accordance with applicable laws both in the US and abroad. Payment card data must also be managed in accordance with the Payment Card Industry Data Security Standards (PCI DSS). We note that sensitive data is the most high risk form of data. 
3. Develop Policies: Your company should have an external privacy policy describing your company’s data practices and tailored to specific data practices. All individuals within your organization should be aware of the policy. The policy must consider all that your company learned during the “Data Inventory” that was conducted during Step 2. Further, in developing the policy, you must consider what technologies—including mobile, desktop, cloud, and other technologies are at use within your company—and ensure the internal policy and public-facing notice addresses these platforms. You also must consider to what countries your company may send the data and whether that country has any different requirements with respect to that data. Your company should also have an internal policy for employees. For example, Massachusetts law, in particular, requires companies that collect personal information from Massachusetts residents to have a policy (referred to as a “WISP”) that essentially provides an outline of the following: what information is collected, for what purpose it is collected, how the information is protected, and for how long it will be stored by your organization. California has a similar requirement. Our earlier alert addressing the WISP may be found here.
4. Notice: In addition, you must provide clear notice to customers and end users about what data is collected, how it may be used and shared, and for how long you may maintain it. Depending on the technology used and the nature of the use of the data, you may need a pop-up notification at the time the data is collected. 
5. Security: You should ensure that your company has the appropriate administrative, technical, and physical security measures for protecting data. For example, administrative safeguards include individual responsibilities and rules regarding access to data, technical safeguards involve firewalls and other measures to protect data, and physical safeguards include maintaining data in locked storage facilities.
6. Training: All employees should undergo data security training to ensure that they understand your company’s internal privacy policies, and their responsibilities as it relates to information with which they come into contact.
7. Contracts: All contracts should ensure that vendors and third-parties have adequate responsibility for data that they receive, including compliance with any applicable privacy policy and Safe Harbor policy. Requiring vendors to take reasonable precautions with data is also a legal requirement.
8. Record Retention and Destruction Program: Consumer information should be maintained only for as long as it is needed for the purpose for which it was collected and no longer than indicated to the consumer. Therefore, your company should have procedures for maintaining such data and for adequately destroying it, including a timeline for when such activities should take place.
9. Privacy Audits/Vulnerability Testing: Businesses should periodically audit all data collection portals and systems to determine where there are weaknesses in a data security program. Vendors are available to assist with “stress testing” virtual security systems and with providing systems for remote erasure of laptops and mobile devices.
10. Breach Action Plan: Companies should develop a plan for data breaches. The plan should include a step-by-step guide detailing who (role/position vs. named individual) is responsible for what steps and should detail the steps to be taken in the event of the unauthorized access to or release of personal information or other information deemed confidential within the company.

This roadmap should assist any company that is wrangling with the beast of managing their data. 

For questions or assistance in any of these areas, please contact the authors.