Today is very exciting for me. It is my first day at Baker Hostetler as National Co-Leader of the Privacy, Security and Social Media Team. And, it is also my first contribution to Data Privacy Monitor. Not only am I joining a solid privacy team that is supported by a large platform, I now have an opportunity to regularly contribute to an informative and current blog that tackles issues which are important to people who care about privacy, data security and social media.
I have counseled clients through many complex data breaches and I have learned that being able to navigate the legal landscape is as important as the ability (and flexibility) to partner with your client to balance legal requirements with a plan that reflects the organization’s philosophy. Every crisis is unique, and there is no one-size-fits-all solution or a prix fixe menu that is suitable for every situation.
This year has been filled with many high publicity and large data breaches. Are we close to the saturation point and becoming immune to the almost daily announcements? Even if that is true to a small degree, the regulators do not feel this way and I predict the future will bring a lot of activity by state attorneys general, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the Federal Trade Commission (FTC) and maybe even the Department of Education (DOE).
Don’t wait until a breach occurs to think about how you will deal with the regulators. A data breach event does not necessarily mean that you are doomed in the eyes of the regulators, but they do have expectations:
1. The organization will be transparent.
2. Data breach prevention and mitigation is a C-Suite issue and not an IT-only issue.
3. The organization acted promptly and thoroughly investigated the event. Be able to answer as many questions as possible.
4. Be able to identify the root cause of the breach and how you responded to prevent it from happening in the future.
5. Be prepared to explain how you have protected the people affected.
Many of these expectations may seem like common sense, but they are essential to satisfying a regulator. As you attempt to protect your organization, recognizing that not all data breach events are preventable, reflect on the following:
1. Do you need to increase security awareness and education through annual training or a data breach workshop led by experienced outside counsel?
2. Do your data security practices, policies and procedures need to be updated and reviewed?
3. Do your vendor contracts need to be updated to reflect the current state of privacy laws? Remember, one-third to one-half of data breaches are caused by vendors.
4. Do you need to practice or develop a breach response initiative?
5. Are you collecting too much information and keeping it for too long?
Focusing on these considerations will go a long way in protecting your organization–and that preparedness (along with a little luck) will help you sleep easier when you are in the middle of an investigation. As Thomas Jefferson said, “I’m a great believer in luck, and I find the harder I work the more I have of it.”