In our connected world, the internet is an essential tool for doing business, but it is also a major source of risk. It often isn’t a matter of if your data will ever be compromised, but when and how much. Good data protection policies and practices can help your business minimize risk and exposure to a data breach. However, it is also important to know what to do if your company does experience a data breach, including any legal requirements imposed upon your company.
What is a Data Breach?
A data or security breach is the unauthorized access of computer data, programs, devices, or networks. This results in information being accessed without authorization, compromising the security and confidentiality of personal information maintained by a business. A security breach can be due to many vulnerabilities, including intercepting unencrypted customer data, using stolen equipment, and gaining unauthorized access to a computer network through a software vulnerability or weak password.
How to Protect Against a Data Breach
The best way to protect against a data breach is to implement adequate data security policies and practices. This includes:
- Strong Passwords. Weak passwords are one of the most commonly exploited vulnerabilities. A password doesn’t necessarily need special characters or numbers. A 20- to 30-character password comprised of random words strung together can be stronger than an 8-character password using numbers and special characters. Another safeguard is making sure that each site login has a different password. Several secure password managers, such as LastPass and 1Password, can help ensure each of your logins has a unique password.
- Security Policies. Your business should implement data security policies and make sure all employees are adhering to them.
- Know Consumer Data Collected. Know what consumer data you collect, how it is collected, and how it is used, transferred, or stored. This information can also be used to create a consumer privacy policy to comply with laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
- Minimize Collection. Only collect the consumer personal information you need to conduct business and do not keep it longer than necessary.
- Restrict Access. Restricting which employees have access to sensitive information helps limit the number of vulnerability points.
- Insurance. If your business does a lot online, a data breach or cybersecurity breach insurance policy may be worth investing in. It can help your business cover the costs to address a data breach if it occurs.
For more information on ways to help your business prevent a data security breach, the FTC has a useful guide.
What to do When a Data Breach Happens
No software is 100% vulnerability-free, and even the best plans can go awry. While prevention is the best way to avoid unnecessary damages, it is also important to know what to do if a breach has occurred. Breach mitigation and response can include:
- Devising a Plan. Sit down with your breach response team to develop a response plan based upon your business structure and the nature of the breach.
- Forensics Team. Gather a forensics team to determine how the breach occurred and the extent of it. If you don’t have someone on staff, you can hire an independent forensic investigator. A forensic investigator will help collect and analyze the evidence as well as outline remediation steps.
- Fixing Vulnerabilities and Secure the System. Time is of the essence. Once you have discovered how the breach occurred, it is important to fix the vulnerability so that no more data is compromised.
- Consult with legal counsel. There is a web of federal and state laws that a breach may implicate. Legal counsel can help your business navigate these laws.
- Notifying Consumers.
Notification Requirements
Most states have enacted legislation that requires a business to notify an individual whose personal information was involved in a breach. In Washington, a person or company conducting business in Washington must disclose any data security breach where a Washington Resident’s personal information was exposed or reasonably believed to have been exposed. This notification must be made “in the most expedient time possible,” but not more than 45 days after the breach was discovered. If a single breach affects more than 500 Washington Residents, a sample copy of the security breach notification, excluding any personally identifiable information, must be submitted to the Washington State Attorney General.
Enlisting Help
You are not alone – Speak with our corporate counsel attorneys to discuss your business’ security and data protection policies. Contact us at 425-250-0205 or contact@equinoxbusinesslaw.com.
Legal Disclaimer: This article contains general information. Do not view this article as legal advice. Talk with counsel familiar with your unique business needs before taking or refraining from any action.