Cyber breach not a question of if, but when
You’ve spent numerous resources building your customer base, created long-term strategies for retention and have developed a sense of mutual trust — and then you get the call: “We’ve been hacked.”
It’s every business owner’s worst tech fear. Your customers’ records are exposed to threat — and so are your profits. From ADP to the Department of Homeland Security, IRS to Verizon, organizations across the country experience daily cyberattacks.
The potential risk is growing exponentially. This year is on pace to exceed 2015 in both the number of breaches and the total records compromised. And 2015 far surpassed 2014.
While the “bad guys” may just happen to get lucky one time, organizations need to protect themselves from all potential threats. Given the sophistication of cybercriminals and the proliferation of technology within an organization, companies should assume a cybersecurity issue is not a question of “if” but “when.”
Though we may think of hackers as sitting in a small, dark room in a foreign country, the reality is the greatest cyberthreat to any organization is the men and women you share a break room with. If an organization wants to be proactive in its security posture, the two easiest things it can do are emphasize training and encrypt its sensitive data.
Training is key
One of the biggest safeguards an organization can develop is a culture of security awareness through the adequate and continuous training of employees, vendors and contractors.
Technology changes at lightning speed — making it easier to adopt new technologies. While this may aid in innovation, it makes it easy for policies and procedures to be out of sync. A regular review of both will help identify any inconsistencies and allow organizations to correct them before any major issues arise.
This review is not a one-person job, either. The organization should involve multiple stakeholders to fully understand the uses of sensitive data and the means of transit both inside and outside the organization.
Encryption is necessary
Encryption can greatly mitigate the negative effects of a potential data breach. Under many state and federal laws and regulations, companies with encryption may be relieved of a notification requirement during an information compromise.
Additionally, a regular regime of encryption will potentially minimize the footprint of sensitive data — reducing the targets of cybercriminals.
What to do when …
Despite their best efforts, many organizations will experience a data breach. The data breach most difficult to protect against is a third-party breach involving company data. When this occurs, it is often too late to negotiate coverage costs with the third-party service provider.
At that point, substantial damages may have been incurred — likely leading to blame-shifting to avoid responsibility for these potentially extensive costs. If the organization has the confidential information of other parties mixed in, additional confidentiality obligations also may need to be analyzed. Moreover, most statutory and regulatory schemes do not identify who should be responsible for data breach costs — leaving parties without any guidelines on how to apportion the liability.
Given all of this, there’s no doubt discussing data breach liability should be done during initial contract negotiations.
What should companies keep in mind during these negotiations? Given the nature of a breach and associated costs, organizations should be careful to avoid consequential damage waivers often found in agreement boilerplates. As a result, without a carve-out, the third party could escape liability for costs associated with a data breach.
If uncapped liability is not a possibility, organizations should explore the possibility of a “super cap,” often a multiplier of fees paid. Alternatively, the parties may agree to a dollar limit in the event of a data breach.
To determine whether the amount is adequate, simply multiply the number of records held by the third party by $158, the current global and average cost incurred for each lost or stolen record containing sensitive or confidential information. If the organization maintains records that contain particularly sensitive information — typically health information, financial information or other personally identifiable information — the cost per record is higher.
With proper planning and foresight, organizations can decrease the probability of experiencing a data breach.
Nathan W. Steed is a partner at Warner Norcross & Judd LLP who counsels organizations in technology and intellectual property law, health law and privacy and information security law. He can be reached at firstname.lastname@example.org.