Business leaders who fail to properly prepare for an eventual theft or corruption of valuable company data do a disservice to their company’s stakeholders, in particular its shareholders and customers. Boards, officers and other senior-level managers who do not recognize the pervasiveness of data breaches leave their organizations legally vulnerable to state and federal authorities, as well as to private claimants.
In 1982, just 34 percent of the market value of the Standard & Poor’s 500 index was composed of intangible assets. By 1999, that number had increased to 84 percent. Combine that statistic with a report issued last September by the independent Ponemon Institute, which performs research related to privacy, data protection and information security, founding that 43 percent of U.S. respondents suffered a data breach during the previous year and it is apparent that companies’ valuable assets are more than ever susceptible to attack.
High-profile breaches such as those related to Target, TJ Maxx, Home Depot, PF Chang’s and Anthem bring the issue into the spotlight. It is critical that the issue stay in the spotlight and become as important a part of an organization’s strategy as market analysis and product development. Why? A company’s inability to protect its data, which as statistics now reveal will often represent the majority of its assets, will lead to customer dissatisfaction and loss of reputation, potential loss of valuable intellectual property that includes trade secrets, disgruntled shareholders and potential lawsuits by regulators, shareholders, customers and vendors.
The laws addressing privacy and data security around the country are complex. This is because of the “sectoral” approach as contrasted with the “omnibus” approach taken by foreign bodies, such as the European Union and Canada. Consequently, we are left with a patchwork of laws issued at the state and federal levels that must be reviewed state by state, or federal laws tied to a particular sector such as the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act and many others.
Last year, Florida passed what might be one of the most stringent data breach laws in the country. The Florida Information Act of 2014 broadened the scope of protected information and tightened the required notice requirements. A cursory look at other state’s data breach laws will show varied requirements relating to information accessibility and breach notification triggers. How prepared are organizations to deal with these issues in a timely and effective manner?
Companies also should be aware that the Federal Trade Commission has the authority to investigate companies’ data security and privacy practices, including the failure to implement “reasonable security measures.”
Public companies should note that in 2011 the U.S. Securities and Exchange Commission’s Division of Corporate Finance issued disclosure guidance recognizing threats associated with cybersecurity. The guidance states, “A number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”
It is imperative today that organizations, especially their legal and information technology departments, be proactive in reducing the likelihood of a data breach or other incident. Additionally, they should be able to quickly control and mitigate the fallout of any such breach or incident by asking the following questions:
- What laws apply at the local, federal and international levels?
- Is a clear plan in place to quickly, efficiently and appropriately address any breach?• Do we have a substantive understanding of the requirements triggered by a breach depending on the applicable law, such as HIPAA and state data breach laws?
- Do contracts with other parties take into account their data breach practices and address the various items that need to be addressed in regard to matters of privacy and data security compliance?
- Is proper insurance coverage maintained for the kind of cyberthreats to which our organization is most vulnerable?
- When our company is involved in merger and acquisition activity, do we make data security and privacy a key part of our due diligence procedures?
Addressing privacy and data security has become a fundamental part of an organization’s infrastructure. By answering these questions, company directors and officers can at least begin taking concrete steps to ensure their businesses and personnel are properly prepared to execute a comprehensive, dynamic strategy that appropriately prioritizes cybersecurity as a key component of their firm’s overall well-being. Failure to do so can have serious consequences for all stakeholders.