- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
April 10th, 2015
Data Security: Seven Steps to Help Safeguard Your Company’s Personally Identifiable Information
A day barely passes without news of a major data breach perpetrated by outsiders who gained unauthorized access to sensitive personal information and intellectual property stored on company computers. In an age where practically every company collects and stores personal information about its consumers and employees, all businesses have to grapple with the difficult questions of how to safeguard their sensitive data, how to avoid a data breach, and how to respond to a data breach when one occurs. What's more, data breaches don't only come at the hands of foreign hackers, credit card thieves or even malicious employees. Often, it's plain old human error that results in data loss: a laptop stolen from a vehicle or backpack, an email attachment sent to the wrong recipient, a consultant losing a thumb drive or a webmaster accidentally posting sensitive material online. Below is a summary of current data breach notification laws and seven best practices to reduce your risk.
Data Breach Notification Laws
Forty-seven states (and D.C., Guam, Puerto Rico and the Virgin Islands) have enacted data breach notification laws that impose notification requirements, mandatory credit monitoring and other significant burdens on companies that lose control over data containing personally identifiable information, or "PII." The definition of PII differs by state, but generally includes a person's first name (or initial) and last name plus that person's social security number, state identification number, financial account number, medical information or other sensitive data. While data breaches that impact consumers tend to receive the most media attention, employee records are one of the largest sources of PII and the subject of many incidents. In addition, although the loss of intellectual property and proprietary company data may not trigger breach notification laws, the consequences of a breach involving valuable non-PII may be just as devastating for a company.
The Fallout From a Data Breach
The fallout from a data breach can be substantial. A recent report by the Ponemon Institute found that the average cost for each lost or stolen record containing sensitive information is $201 and the total average cost paid by organizations for a data breach is $5.9 million. Responding to a breach often requires diverting significant staff resources, hiring outside counsel to ensure compliance with state and federal laws, engaging a forensic computer expert to help contain the breach and protect against future incidents, paying outside vendors to notify affected individuals, providing credit monitoring services, and dealing with the press. Many breaches also lead to costly class action lawsuits and regulatory investigations. And a number of well-known brands have paid millions of dollars to settle regulatory complaints or court actions.
Seven Practical Steps to Prevent a Data Breach
Fortunately, there are practical steps that every company, big or small, can and should take to safeguard their sensitive data. While any company that collects, stores, processes or otherwise interacts with sensitive data or valuable IP is likely to have an IT security team that does its best to protect against outside intruders, one of the best ways to reduce risk is to raise awareness: educate employees about the laws surrounding sensitive data and equip them with best practices to avoid data breaches. Some of those best practices include:
- If you don't need it, don't collect it. The best way to avoid a data breach is to avoid collecting PII in the first place. For example, do you really need an applicant's social security number just to conduct an interview? Are you sure you need that driver's license number?
- If you don't need it, don't use it. Once you have collected sensitive data, always think twice before removing it from a secure location. Can you do your work without exporting a sensitive data field? Moreover, companies should avoid using social security numbers or other PII as employee identification numbers, access codes or for other non-essential purposes.
- Implement technical controls. Sensitive data should be segregated and access to it strictly limited. Companies should encrypt sensitive data whenever possible, but employees also need to be trained about how encryption works and why it matters. In a world of Bring Your Own Device ("BYOD") and cloud-based storage, you should train everyone in your company to implement an effective password strategy.
- Implement physical controls. While data breaches often elicit images of hackers gaining entry into a network, many breaches result from stolen computers and portable media. Employees must understand the need to lock doors, lock laptops containing sensitive data to desks, and lock portable media in desks.
- Clean house often. Very often, companies store more data than they need, longer than they need it. Companies should create and implement document retention policies but, just as important, employees must understand the risks of having laptops and thumb drives with old data scattered about their offices and homes and the risk of failing to delete sensitive data when it's no longer needed.
- Don't take it with you. Data is least secure when it is out of its secured home and in transit: coffee shops, hotels, subways and cars are notorious locales for stolen laptops and portable media. Employees should think twice before exporting their data, thrice before exporting sensitive data. Institute a take-what-you-need mentality when traveling with a laptop or other media.
- Raise awareness. The best way to prevent a data breach is to make data security and privacy a part of the culture at your company. Your company should create clear policies that address data security practices, hold data security trainings, send periodic reminders about the importance of protecting sensitive information, post signs and hand out stickers as reminders, as well as spot check workers - all with an eye to encourage compliance.
Frankfurt Kurnit has helped many clients to protect their sensitive data, comply with data security and privacy laws and prepare for and respond to data breaches. For more information, including to schedule a presentation for employees about practical ways they can help protect your company's sensitive data, please contact Jeremy S. Goldman, Esq., CIPP/US at (212) 705-4843 or email@example.com, S. Greg Boyd, Esq., CIPP/US at (212) 826-5581 or firstname.lastname@example.org, Jessica Smith, Esq., CIPP/US at (212) 705-4876 or email@example.com, or any other member of Frankfurt Kurnit's Technology, Digital Media & Privacy Group.
Other Technology Law Alerts
FTC Settles First-Ever Action Against Individual “Influencers”
September 18 2017
No Harm, No Foul: Court Dismisses Biometric Data Privacy Class Action Against NBA 2K Games
Biometric data — from, e.g., retina, face and fingerprint scans — plays a big role in the current wave of new technology services. For example, biometrics provide security features for financial and healthcare products. But companies using or thinking of using biometric data have to comply with myriad privacy and data security laws and regulations, or face potential enforcement action and litigation.
February 16 2017
ZeniMax v. Oculus: Lessons from a $500 Million VR Case Verdict
The Oculus Rift has been one of the most anticipated technology developments in modern video game history. Now — as a result of avoidable mistakes — it is also a teaching case for lawyers advising clients in the interactive entertainment space. Here's a rundown of the case and the traps the developers fell into.
February 9 2017