Birmingham Business Journal: Data Protection Table of Experts
In an article published by the Birmingham Business Journal, Beth Shirley provides her insights into a series of questions surrounding data protection, including strategies, expenses, and recent trends.
The full article is available online, with Beth's portion of the discussion featured below. To read the entire discussion, click here.
Table of Experts Series: Data Protection - Beth Shirley
Q: Why is it important to focus on data protection within the cybersecurity realm? Data protection is crucial because if there is an intrusion into your company’s systems, you want to have data encrypted or anonymized to protect against a data breach that exposes individuals’ personal information. Data protection also involves ensuring there are secure, regularly updated back-ups of company information and personal information. So if there is a data breach and mass encryption, your company can quickly return to normal operations.
Q: What are some of the most important considerations for a company regarding data protection? Companies need to consider what kind of personal information they maintain, where is it maintained, and the security protections that are in place for the personal information. These security protections include ensuring that employees have access on a need-to-know basis; maintaining personal information for no longer than it is needed for a legitimate business or legal purpose; and securing access to personal information through multi-factor authentication (MFA), virtual private network (VPN), etc.
Q: What are the various types of data most companies have, and are there strategies for protecting each type – or is it more of a blanket policy? Companies can have many types of data that varies in confidentiality. Examples include personal information of consumers (name, address, email address, IP address), personal information of employees, sensitive personal information of consumers and/or employees (biometric data, geolocation data, health-related information that doesn’t rise to the level of protected health information), and company confidential, proprietary or trade-secret data. Depending on the level of confidentiality and sensitivity of the data, security protections should be afforded accordingly. For example, a relatively small group of employees may need access to individuals’ sensitive personal information, or to the company’s trade-secret information.
Q: What types of companies or partners can ensure a company is following data protection guidelines and best practices? Cybersecurity/Data Privacy legal counsel can provide advice to companies on complying with cybersecurity and data protection laws. Additionally, there are numerous non-legal third-party vendors that can assist companies in building a robust cybersecurity defense network; training employees on cybersecurity and data privacy best practices and pitfalls; and assisting companies with complying with a particular cybersecurity framework such as NIST (National Institute of Standards and Technology).
Q: A lot of data breaches have taken place recently. Why is that and how can companies stay ahead of the crime curve? Crime is a matter of opportunity. Many small and medium-size companies, in particular, assume that if their information technology systems are working, and if they have firewalls and other cybersecurity basics in place, they can hopefully avoid a data breach. Implicit in this approach is the blindly optimistic hope that it won’t happen to them. Companies with this approach are ideal targets for data breaches because they are not taking additional steps to identify where personal information is stored and how it is secured, nor have they implemented a holistic and regularly updated cybersecurity data plan to protect their network assets. While a budget must be allocated to implement these safeguards, the cost of a data breach far outweighs the cost of investing in the cybersecurity protections prior to a data breach.
Q: How expensive can a data breach be for businesses or employers? Very expensive. In a typical ransomware situation, companies must allocate their internal resources — including management representatives — to regular team meetings and many hours, days and sometimes months of helping the company recover and return to normal operations. This detracts from running the business and doing their regular jobs. Companies may have an external IT vendor whose resources will need to be dedicated to helping the company recover from a data breach. This IT vendor — or the company’s internal IT team — will need to work with a cybersecurity forensic firm, which is yet another cost and not cheap. A cybersecurity forensic firm can help secure the company’s data systems, investigate the potential data breach, help the company recover, etc. Companies also need to have legal counsel involved from the outset of a suspected data breach to help manage the team of professionals, direct the investigation towards discovering as soon as possible whether any personal information was compromised, determine whether and when any notice obligations are triggered, interact with regulators, etc. Additionally, mid- to large-size companies often need the assistance of a public relations firm, which is yet another cost. If a ransom is demanded, and the company cannot obtain its data any way other than by purchasing the decryption key from the threat actor, that may be a very heavy payment, into the millions of dollars (assuming payment is permitted under applicable law). If payment is not permitted, or a company can’t afford to pay it, the company may have to shut down if it cannot operate without the compromised and unusable data involved in the data breach. There are costs for sending out notice letters to individuals, for providing a toll-free conference center, and for providing complimentary credit monitoring to affected individuals. Also, there increasingly are class-action lawsuits filed after a data breach, and attorneys’ fees and potential settlement costs or a judgment are yet other expenses. If a company has cybersecurity insurance, some or all of these costs may be covered. But many companies do not have enough coverage, and some don’t have it at all. In sum, a data breach will be, at the very least, more costly than it would have been to review and update cybersecurity best practices (which may or may not have prevented the breach). Worst case, a data breach can cause a company to go out of business entirely.
Q: When data breaches happen, companies often are no longer offering free memberships to credit monitoring software. Is that an alarming trend, or is it really not needed? This is an alarming trend. Some states affirmatively require companies to provide credit monitoring memberships where certain types of personally identifying information (PII) are breached, such as Social Security numbers. Even if this is not required by state law, companies should strongly consider providing complimentary credit monitoring services to affected persons. While the reality is that people’s PII has likely been compromised over and over again, regardless of whether a business provided notice, the effect of receiving a data breach notice letter can be mitigated by offering complimentary credit monitoring services.