in California, certain California laws may also apply to such company’s use of the individual’s information.
In other words, one company may have to comply with 50 different laws when making notifications for
one single data breach. And, the timeframes for providing notice under some of these laws are very
short. You may be subject to providing notification within 72 hours of you becoming aware of the data
breach. Hence, being prepared and having a well thought-out plan are crucial.
Why are companies not instituting these robust practices and procedures?
Most likely, it is the time and money required to implement these types of cybersecurity, business
continuity and incident response practices and procedures. Significant time and effort must be spent
understanding the totality of the companies’ systems, how personal information is used and stored and
what persons or entities are interacting with such information and why. Further, leadership has to think
about all the different places, both likely and unlikely, where a breach could occur.
Additionally, this analysis should not be limited to just your companies’ systems, practice and procedures.
It also needs to include your vendors. For example, with the Target breach, the bad actor’s access to
their systems was traced back to an HVAC system provider’s network credentials that had been stolen.
Therefore, you need to analyze what third parties have access to your network and is that access
appropriate for the services being supplied. Does an HVAC provider need to have access to the systems
where credit card information is housed and if not, you need to ensure that that HVAC provider’s access
is appropriately limited. If this vendor does require that type of access, then you need to ensure that it
has the appropriate practices and procedures in place to prevent intrusion to your systems occurring
through such vendor’s systems. This may require a review of your contacts with vendor to include the
appropriate contractual obligations on such vendors.
Furthermore, a company needs to understand what types of information are at risk in which systems and
how to handle those different risks within its practices and procedures. The personal information at risk
if someone breaks into a computer in human resources will different than a computer in sales. These
differences need to be evaluated and the practices and procedures need to be modified according.
What are some of the best practices to mitigate risk of a data breach that should be built into
these practices and procedures?
Your practices and procedures should:
- Be flexible enough to allow for changes in risks and attacks. Additionally, the types and levels of
security measures need to fit the value of the information and the potential risks to such
information. - Include appropriate monitoring of your systems and regularly testing for vulnerabilities. As the
Ponenam Institute study shows, the faster a breach can be identified and contained, the lower
the cost to the company. - Provide for education and training of your employees on recognizing a potential attack and taking
the appropriate steps if they believe an attack is occurring or has occurred.