Author: Meaghan Zore
Are you ready for a data breach? At least 222 data breaches occurred in 2015 affecting at least 159,436,735 records, according to the Privacy Rights Clearinghouse, a California nonprofit corporation that tracks trends in data privacy. There’s little reason to believe that 2016 is going to see a downtrend in these numbers. Already this year, Time Warner Cable reported a data breach that affected 320,000 of its customers’ records.[1] Given these numbers, it’s no longer a question of “if” a system will be breached, but “when.”
January 28th is Data Privacy Day. Here are 3 steps to becoming data breach ready in 2016:
- Establish a Privacy Training and Awareness Program
When we hear of data breaches, often, the image of a nefarious hacker comes to mind. However, 91 of the 222 data breaches in 2015 were caused by unintentional actions, such as misdirecting emails containing sensitive information, lost laptops or smartphones, and improper disposal of non-electronic data. These poor data handling practices resulted in a minimum of 6,090,152 breached records. Having a world-class privacy policy is useless if your organization’s employees are unable to put the policy into practice. When employees understand your organization’s data handling expectations, including how to effectively implement your company’s privacy policy into their day-to-day work practices, data breach incidents decrease.
- Conduct a Privacy Impact Assessment
A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information is collected, used, shared, and maintained within an organization. Examples of various PIAs can be found on the Federal Trade Commission’s website. You can use a PIA to manage data risks and assess the benefit of engaging in certain data handling practices. Conducting a PIA will help you to better understand and address your company’s vulnerabilities.
- Develop a Data Breach Response Plan
A data breach response plan is a course of action intended to reduce the risk of unauthorized data access and to mitigate the damage caused if a breach does occur. At a minimum your data breach response plan should consist of the following: (1) a point person to take charge in the event of a data breach and act as a liaison between various stakeholders and partners; (2) contact information for relevant stakeholders and third-party service providers; (3) procedures for analyzing and containing the damage caused by a suspected data breach; (4) measures to mitigate the damage done and prevent future breaches; and (5) relevant insurance and credit bureau information.
In 2015, companies incurred an average cost of $154 per breached record and were exposed to a consolidated total cost of $3.8 million per data breach.[2] Breaches are going to happen, but preparation will be key to minimizing the damage done to your organization and your clients in 2016 and beyond.
About the author: Meaghan Zore, founder and principal of Zore Law, advises entrepreneurs and emerging companies on a wide range of legal matters such as business formations, intellectual property issues, commercial agreements and data and privacy considerations. In addition to her practice, she teaches Advanced Civil Procedure: Electronic Discovery and Information Privacy law at Indiana University Robert H. McKinney School of Law. She may be reached at www.zorelaw.com meaghan@zorelaw.com. Tel: 415-347-0004
[1] http://www.privacyrights.org/data-breach
[2] http://www-03.ibm.com/security/data-breach/
Hey Meaghan
Thanks for the informative post. Couldn’t agree more with you! Data breaches are a regular fixture in the digital world. Businesses have to be watchful about multiple factors when safeguarding their data. Businesses have to keep an eye and stay informed on missing or stolen laptops or storage devices, ensure confidential information is shared under strict vigil, employees are held liable for erroneous data posting
Megan Barnett