The United States has experienced the most cybersecurity breaches in the world and the Equifax Breach was one of the first to be considered a “mega breach.” The headlines immediately attempted to lay the blame, in large part, on the fact that Equifax’s chief information security officer was a music major and did not have a background in technology. Equifax was not special in this regard. In fact, recent research reveals that about 60% of information security stakeholders have an IT background, but about the same amount lack formal technical training. That being said, there is no body of evidence that indicates a direct correlation exists between an information security stakeholder’s non-technical background and the likelihood of a breach.
If having a skilled technical staff isn’t critical, then what arrangements should a company have in place to mitigate the occurrence of a data breach and to avoid the fines and penalties that can follow? In the absence of a law that contains prescriptive requirements (e.g., the Health Insurance Portability and Accountability Act (HIPAA)), the answer is generally that a company should implement a “reasonable data privacy and security program” under all circumstances.
The standard of a “reasonable data privacy and security program” has been relied upon by the Federal Trade Commission (FTC) in data privacy enforcement actions for years and was recently added to a number of state data breach notification laws as a requirement. Additionally, beginning in May 2018, companies subject to the General Data Protection Regulations (GDPR) have a duty to maintain appropriate technical and organizational measures to safeguard personal data, taking into account available technologies; costs of implementation; and the nature, scope, and purposes of processing personal data. Note that this is an organic expectation. The technologies existing in 2018 will undoubtedly differ from those that exist in 2020.
The FTC considers that ‘reasonable security’ doesn’t mean ‘perfect security.’ However, some of the enforcement actions provided thus far shine light on what it does mean, which includes:
- Companies should have written data privacy and security policies and procedures in place.
- Companies should implement training on those policies, procedures, and best practices to increase awareness of the threat landscape (e.g., phishing emails) and to create a culture of empowerment rather than fear.
- For companies that process large quantities of personally identifiable data, it would be considered reasonable to hire an outside vendor to perform an information security risk assessment on a regular basis to identify network and system vulnerabilities.
- Companies should implement solutions for the high risk vulnerabilities and conduct continuous monitoring of the network and system strengths and weaknesses.
- Companies of all sizes should have a written security incident response plan in place before a breach occurs and the plan should be tested at least annually.
Even the best security program is not bulletproof. Breaches will continue to occur because cybercriminals and malware continue to grow more sophisticated than the solutions that companies implement. Yet, there are quantifiable benefits for establishing a reasonable data privacy and security program.
First, companies that build and maintain a reasonable privacy and security program are typically subject to reduced fines and penalties in the event a consumer complaint or a breach is brought to the attention of a regulator. Regulators routinely request the information listed above in order to determine the level of seriousness with which a company takes its duties and responsibilities to protect personal data. Companies that provide proof they take data protection responsibilities seriously are less likely to suffer extreme financial losses than those who don’t.
The penalty-reducing benefit of establishing appropriate administrative, technical, and physical breach prevention practices is especially significant for businesses within scope of the GDPR because of the astronomic size of fines that can result from violation of some of the directives. Further, businesses subject to the HIPAA Privacy and Security Rules also realize smaller penalties when they can provide the Health and Human Services’ Office of Civil Rights with proof of their efforts to comply with the Security and Privacy Rules.
A second quantifiable benefit of maintaining a reasonable and appropriate security program is the ability to negotiate a smaller quote for a standalone Network Security and Privacy Liability Insurance policy. The internal risk reduction of a data breach translates to dollar savings over the life of a policyholder’s premium. In fact, some of our clients realized the benefit of an automatic renewal without premium adjustment.
Last, but not least, a tremendous benefit of establishing these programs in place – before a breach occurs – is the ability to minimize the risk and severity of a breach altogether. A company is only as strong as its weakest link and that weak link is all too often a human being. A reasonable security program helps to raise awareness about best practices and establishes and reinforces a baseline culture of privacy. While these benefits are not ordinarily measured by dollars, a record of only a few and minor data breaches fosters trust and loyalty among customers and, therefore, could be described as priceless.