March 03, 2016

What Organizations Can Do to Avoid a Data Breach Lawsuit

If your organization suffers a data breach, is there a chance a lawsuit might follow?  

According to a post at searchsecurity.com, a number of recent enterprise data breaches have resulted in class-action lawsuits.

While none of the major data breach lawsuits have gone to trial, there have been expensive settlements paid out to customers, employees and other plaintiffs. These settlements put the spotlight on the rising costs of liability – and what the future costs of data breaches overall might look like.   

For example, one health services company paid out $3.1 million after more than 1 million patient records were breached. A retail data breach affecting over 100 million customers cost $10 million. A supermarket chain paid out $2.1 million after credit card information from 2.4 million of their customers was exposed.

Organizations must make “significant efforts to secure their infrastructure, and protect customer and employee data – or face the consequences in court,” said the searchsecurity article.

What can organizations do to avoid a data breach lawsuit?

Keep all data security current
Review and update the organization’s information security policies on a regular basis. This includes computer hard drive security measures (passwords, encryption, firewalls, anti-virus software) and physical security measures (such as a Clean Desk Policy).

Ensure compliance
Stay up-to-date on compliance requirements. Depending on the industry and type of data, an organization may be subject to a broad range of privacy laws and legislation.  

Practice data breach response
Use role play scenarios to prepare everyone for a cyber attack. Have a response team in place that consists of management, IT, legal and human resources. What’s most important is a quick response and everyone knowing in advance who is responsible for what. There should be on-going security awareness training for all employees as well.

Communicate carefully
When a data breach occurs, “you have to be really careful about what you say,” said Margaret Dale of the law firm Proskauer in a fortune.com article. “You can be sure the plaintiffs will use it against you later on.” Put a team together to handle public relations and communications.  

Be accountable – fast
Act quickly when a data breach occurs, and be sure to follow breach notification laws, which vary by state. Generally, businesses must notify consumers whose personal information has been compromised. In many states, the attorney general or other state agencies must be notified too.  

Provide credit monitoring
Offering free monitoring services for credit and identity theft is often recommended. It’s good customer service and can reduce class action claims.

Third party checks
Increasingly, third parties are being identified as a weak link. Screen all suppliers and other companies that are connected to your network to make sure they have appropriate cyber security safeguards.

Destroy all non-necessary customer information
Partner with a document destruction company that has a secure chain of custody and provides shredding services for paper and hard drives and a certificate of destruction after every shred.  

A comprehensive document management policy helps protect confidential information from creation to destruction.