While personal information and likely sensitive data have become a common asset of nearly any business, data security is not that hot topic on the IT roadmap. Even global players in e-commerce have failed in the past to secure their data against 3rd party access.
Several jurisdictions have specific regulations dealing with prevention of and proceedings following a loss of such data, commonly referred to as data breach. In addition, contractual obligations concerning non disclosure and data security measures are more and more boiler plates in tech contacts.
Said this, a data breach is not only a communication challenge with your customers and contractors, but also a legal risk jeopardizing your firm’s compliance and triggering potential fines. As a consequence companies should take appropriate measures to be prepared for a data breach minimizing the negative impact on their business. In a following up post I will describe what to do if a data breach has happened.
Three different work streams must be accomplished for an appropriate compliance framework, and consider the following items:
1. The obvious one: Technical and organizational measures
- Ensure that your staff is well trained and has an appropriate head count.
- Are your systems up to date? Consider cloud services with major providers if you can’t afford an state of the art insourced solution.
- Every day the bad guys get more familiar with your security measures. Keep your standards high and stress your systems to ensure they have not been compromised. Audits can be performed by your staff or specialized service providers.
- Install a person responsible for the security of your IT environment.
- Keep your internal IT policies updated. You have none? Guess what…
- Ensure access to your systems is restricted to external and internal users.
- Introduce a proper reporting line with tight deadlines.
- Listen to your tech people!
2. Communication processes
- Like with your technical policies and reporting lines, be sure you have your paperwork done.
- In addition, draft a playbook for the relevant people (e.g. customer care) in case of an alleged or actual data breach. They have to know what to say and to whom.
- Stay alert: Sometimes a data breach is reported by customers or contractors, and sometimes you have to read between the lines. E.g. customers complain they receive spam from you (but you have not send out anything).
3. The legal thing
- Which law does apply on your company?
- Are there specific regulations concerning data breaches? If you deal with sensitive data, this is high likely.
- Keep an eye on deadlines in the law concerning report timelines following data breaches.
- Not any breach must be reported, usually depending on amount and category of data affected.
- Prepare templates for reporting to the authorities.
- Check your contracts, which of them include data breach clauses concerning specific obligations?
- If not already done, get a contract management tool allowing you to track the data breach obligations.
- Shape your templates and include proper language on liability, indemnification, technical and organizational measures etc.
- Have a look on your company insurance policy if it covers data breaches.
As you may recognize, the above list is neither complete nor final. Depending on size of your company and your business model, you may prefer a slightly different focus.