We have all read the news reports about the recent hacking and data breaches at Sony Pictures, and while the story is interesting from a political perspective, from a corporate executive’s standpoint it raises some very important legal issues.
There are steps company executives can take to minimize the risk of a data breach or, in event of a hacking, to minimize their liability. These steps include:
- Meet competitor security standards, at least. Network security needs to be a very high priority for every company. A business and its executives will be held to the “commercial reasonable standard,” which means your company’s network security will be compared to your competitors and that of similarly situated entities. So, find out what they are doing, and make sure that your network security is at least up to their standards.
- Be aware of data security plans. Senior executives need to be fully involved and aware of their company’s plans to protect its data. This is not the type of issue that should delegated to mid-level management. The liability in the event of a data breach, from both a legal and reputational viewpoint, is just too high to delegate.
- Have, share & verify your data security policies and procedures. All companies need to have security policies and procedures in place. Additionally, these strategies need to communicated to all employees, and most importantly they need to be followed. From an executive’s perspective, it is vital that there is periodic independent verification that your network security and policies are being followed. These types of reports, provided to senior management, will demonstrate that data security is a priority.
- Consider cyberinsurance. Many large insurance companies offer different types of cyberinsurance. At a minimum, company leaders should consider buying it. Beyond the obvious benefit of having insurance to help pay for any damages that may arise from a data breach, there are other advantages: First, if the worst happens and there is a data breach, insurance companies most likely will have dealt with similar issues, and they can offer expertise and advice. Second, the fact that your company has cyberinsurance may be a selling point with your clients.
- Plan for the hack. The worst time to come up with a plan to deal with a data breach is after it happens. Once the news breaks, it is too late. Executives are inundated with requests for help from employees, and questions from clients and the press. Additionally, depending on the nature of the business, there may be inquiries from governmental agencies and regulators. At this point, it is virtually impossible to put together a plan that not only deals with the company’s immediate needs, but also the long-term impact to the company and its executives. So, just like a company should have a disaster recovery plan, these days a company should also have a data breach plan.
Steven Boyne is a shareholder and a member of Gunster’s corporate law practice. He works out of the firm’s Jacksonville office. Image courtesy of Stuart Miles via FreeDigitalPhotos.net