Data Breach: No Company Immune

The same technology that can help an energy company develop or market energy resources, or a financial institution manage accounts could be compromised in a data security incident, potentially jeopardizing information security, writes Kathleen Rice.
By Kathleen Rice | March 12, 2015

If your boss asked you to guarantee that your company would never suffer a data breach, would you do it? That may be a little extreme, but what if he simply wanted your assurance that every reasonable step had been taken to prepare for, prevent, or respond to a breach? Could you give it?   If you answered no to the second question, you're not alone. 

If any good has come from the high-profile data breaches over the past year, it is that more companies are recognizing that no company and no sector of the economy is immune from the threat of a compromise. The prospect of class action litigation, regulatory action, harm to reputation and significant financial losses are just a few consequences. But even with the many reports of breaches, as well as the increasing and unpredictable threats to data security, many companies have still not done enough to prepare for, prevent, and respond to an incident.

Today, technology seems to be everywhere. From agriculture to energy to retail to financial institutions and health care, technology influences how we produce energy, grow food, work, communicate, and live our daily lives. These technological advances may not only save time and improve productivity, but many can help make us more secure or save our lives. 

But what about the information that is gathered, analyzed, used, and stored by all this technology? The same technology that can help a farmer produce more or better crops, an energy company develop or market energy resources, or a financial institution quickly manage corporate accounts could itself be compromised in a data security incident, potentially jeopardizing the security of sensitive, confidential, or proprietary information. For many companies, this could not only damage their competitive edge, but open them up to extensive legal liability or regulatory action. For their customers or employees whose information may have been compromised, a breach can bring long-term anxiety over identity theft or stolen funds and destroy consumer confidence. Over the past year, a number of American businesses and consumers have seen firsthand these and other results of significant data breaches. 

As companies have worked to respond and recover from such breaches, some important lessons have been learned along the way.  Regardless of the sector of the economy in which a company operates, regardless of its size or success, it could be at risk for a data security incident. It’s smart to be proactive. Identify the threat landscape as it applies to your company’s specific business model. Assess the risk. Ask basic questions about the very information that could be subject to compromise. Who is collecting the data?  For what purpose?  What specific information is being collected?  Is it business or personal? What is being done with the data?  How will it be used—for marketing, regulatory, or other government purposes? Who has access to it?  Will it be stored, and if so, for how long? Will it be shared with the government or with third parties? Are there legitimate privacy concerns that must be considered, and if so, what is the reasonable response? Are there tangible measures that can and should be taken to reduce the impact on privacy? 

Why are these questions important? Because the answers will help you shape and implement reasonable and responsible measures to reduce the risk and effects of a compromise, long before such an incident occurs. Some of those measures might include: identifying and setting appropriate limits on the type of information collected; specifically assessing who should have access to the information, and then defining that category; clarifying under what conditions data may be shared more broadly; stating clearly how long it will be retained, and developing a clear and effective incident response plan. There should be effective policies and procedures in place that guide and inform how a company acts to prevent or mitigate the risk of a compromise. 

As we have learned from recent data breaches, a proactive and responsible approach by individual companies to think through risk and compliance issues before a breach occurs will put a company on much better legal, regulatory, and technical footing if a breach does, in fact, occur. This not only benefits the company as it looks to rebuild its reputation, but its customers, shareholders, and employees as well. And it means that when your boss asks you how well-prepared your organization is, you can finally give him that assurance he's looking for. 

Author: Kathleen Rice
senior director, FaegreBD Consulting

Contributors: Mary Bono and Andy Ehrlich, FaegreBD Consulting