By James P. Harris and Doug G. Verge
In today’s digital world, there are a host of reasons why businesses need to carefully safeguard the sensitive data they generate and collect. Some of those reasons are imposed by statute or regulation, and those rules will grow in number and scope as time passes. The recently enacted General Data Protection Regulation (“GDPR”), for example, creates exposure for businesses of up to 20 Million euros or 4% of gross annual revenues for non-compliance as to personal data of persons located in the EU or EEA. Some businesses agree to maintain confidentiality as a matter of contract, so those contracts impose legal duties and risk. Employers also need to be mindful that they possess protected information about their employees, including tax and health information, that hackers utilize to compromise the employees’ identities. Maintaining good relations with the workforce requires a level of diligence to protect their information. Purely business reasons also motivate companies, as they must be able to fend off ransom attacks with robust backups and avoid the reputational damage suffered if customers’ data is compromised.
There is an additional, often uncontemplated risk – regulatory penalties for overstating the level of security a company provides. The Federal Trade Commission (FTC) routinely issues press releases announcing large fines and penalties imposed on companies that misrepresent the extent to which they actually safeguard data. As the market puts pressure on companies to differentiate themselves based on security, they must accurately state what do and do not do to protect the information.
Here are some questions to begin to gauge where your company stands:
- Have you taken the necessary steps to comply with the GDPR, the new California privacy law, and other impending similar laws?
- Have you considered the need for a data protection officer, EU representative, and data protection impact assessment in connection with the GDPR?
- If you are planning to transfer personal data of persons located in the EEA to non-EEA locations/businesses, have you determined in each instance a lawful basis under the GDPR for the same? Does your company have appropriate privacy policies in place that comply with applicable laws?
- Does your company accurately state its security measures?
- Have you reviewed your privacy policies to ensure they are compliant?
- Have you audited your practices to ensure they actually meet the standard set in the policies?
- What is your company doing to adequately secure data?
- Are you training employees to protect data?
- Are you keeping up to date with technological safeguards?
- Are you testing your systems for vulnerabilities?
- Are you commissioning outside audits or certifications?
- Is your company ready to respond in the event of an incident?
- Do you have a backup system and you have actually tested to ensure you can recover your data and get back online quickly?
- Do you have a breach response plan that addresses insurance, technological, legal, and regulatory needs?
- What is your company doing to mitigate risk?
- Have you carefully addressed security, liability and indemnity in contracts with vendors and other partners?
- Have you obtained comprehensive cyber risk insurance and do you understand the available coverage?
If you feel uncertain after attempting to answer the questions above, we can help your company analyze and respond to this ever-growing risk.
James P. Harris and Doug G. Verge are shareholders at Sheehan Phinney Bass & Green.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice.