Client Bulletin: The High Cost of Insufficient Data Protection

The High Cost of Insufficient Data Protection  

By Lindsey Schek Gillespie

Is your company prepared to handle a security incident?  Has your company taken measures to mitigate the impact of a security breach?

In 2014 a number of privacy trends emerged that are likely to continue this year.  Among them are growing concerns with the international transfer of personal information, security of data on mobile devices, and increasing complexity that companies face when handling a data security breach.  Last year we saw an uptick in the number of large-scale data security breaches reported in the news.  In the first two months of 2015, several security incidents were reported, with the insurance giant Anthem suffering one of the largest data security breaches in corporate history (with up to 80 million customer records compromised).

Along with the rise in reported security breaches we have also seen an increase in related class action lawsuits and growing federal and state regulatory scrutiny of affected companies.  Much of the scrutiny surrounding data security breaches involves an examination of whether or not the company had implemented appropriate security measures to protect the personal information that was compromised, and not an examination of whether the notification about the breach was sufficient. 

Currently there is no general Federal data security breach legislation, so companies dealing with a security incident face a myriad of state laws containing varying requirements.  Forty-seven states, D.C., Puerto Rico, Guam, the U.S. Virgin Islands, and several other countries have enacted laws requiring companies to notify individuals in the event of a security breach involving personal information.  The laws defining the types of personal information that require notification vary, and are expanding to include categories beyond the traditional categories of sensitive data such as Social Security Numbers and financial account information.  Some state laws now include categories such as a user name or password, and health information (Fla. Stat. § 501.171, Cal. Civ. Code § 1798.29) within the categories of data that trigger a company to notify of a security incident. The definitions of personal information in those laws are expected to expand further.  State laws also establish differing timeframes in which to notify affected individuals and regulators where applicable.  Companies face growing complexity and therefore increased costs in coordinating a response to a large-scale incident, as well as increased uncertainty around what might constitute “harm” in the context of a data breach.

FTC enforcement actions and investigations

The Federal Trade Commission (“FTC”), charged with protecting consumers and enhancing competition, has been instrumental in consumer privacy enforcement by, among other things, conducting studies, issuing reports, hosting public workshops, developing educational materials, and testifying before Congress.  In addition, the FTC has used its authority to bring privacy related enforcement actions under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in the marketplace, as well as its authority to enforce various sector specific laws.  The FTC has used its broad authority to address a wide range of practices affecting consumers such as social networking, online behavioral advertising, marketing, children’s online privacy, and more.  Since 2002, the FTC has brought over fifty cases against companies whose practices put consumers’ personal information at risk. 

Although the FTC’s authority to bring enforcement actions against inadequate data security was challenged in 2014, a court has not yet ruled that the FTC lacks the jurisdiction to pursue these types of actions.  Furthermore, the FTC has taken the position that an actual security breach is not required before it can launch an investigation.  Instead, the FTC may take action if a company’s business practices cause or are likely to cause injury to a consumer.  Any company that handles personal information is therefore potentially vulnerable to an investigation by the FTC.  Although facing an FTC investigation or enforcement action can be costly, there are many other costs associated with insufficient data security. 

Costs are on the rise

The costs associated with a data security breach are on the rise and can be very significant.  The Ponemon Institute, a leading research center dedicated to privacy, data protection and security, reported in a 2014 report that the average cost of a data breach in 2013 was $3.5 million dollars, up 15% from the previous year.  (2014 Cost of Data Breach Study from Ponemon Institute, sponsored by IBM.)  The costs of the massive data breach recently suffered by Anthem could run into the billions.

The costs associated with a security incident include anything from declining stock prices, business disruption, class action lawsuits and other legal fees, to the costs associated with forensic investigations, operating call centers, and providing credit monitoring services to affected individuals.  Companies also suffer embarrassment, reputational harm and a loss of consumer confidence and loyalty.  In some cases, reputational harm and the loss of customers can cause the most damage to a company’s profitability.  In addition to these costs, if pursued by the FTC, companies may be ordered to redesign and implement new security protocols, pay fines and submit to years of mandatory audits.

What preventive measures can your company take?

Companies collecting personal information can take steps to minimize the risk of suffering a security breach, mitigate the costs associated with an incident, and reduce the risk of an FTC investigation or enforcement action with respect to the company’s privacy and security standards.  Although it may seem overwhelming and possibly expensive for a company to properly address data privacy and information security by creating and implementing a comprehensive privacy and security program, the costs associated with failing to implement such programs have been demonstrated to be significantly higher.

At a minimum, companies should take the following steps:

  • Review your privacy and security representations made to consumers and ensure that your privacy policy and consumer terms accurately reflect your company’s actual practices and do not promise more security than the company can deliver.
  • Conduct a privacy audit and risk assessment and confirm that your company’s data security practices are in line with your industry’s standard and implement changes where necessary.
  • If your company collects international personal data, consider the effect of non-US data privacy laws on your operations and take appropriate steps.
  • Document your company’s privacy and security practices and procedures through an internal written information security program and employee-facing acceptable use policy.
  • Implement mandatory employee training on the company’s privacy and security obligations and policies and ensure that these protocols are consistently enforced.
  • Create and implement a security incident response plan, including legal counsel and forensic investigator, and test the plan to ensure it may be rapidly executed in the event of an actual breach.
  • Include appropriate security terms in agreements with vendors and third party service providers and make sure all applicable security obligations are passed down to contractors and subcontractors. 

Data privacy and information security is an ongoing process.  An effective privacy and security program involves continuously evaluating the company’s risks and vulnerabilities and adjusting the company’s practices to respond to and minimize those risks.

We are available to answer questions, assist with privacy and security audits and related risk assessments, review internal policies and procedures and other relevant documentation, help to develop a security incident response plan, and otherwise aid in the development and implementation of your comprehensive privacy and security program.

____________________________________

Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.