What you'll learn:
- It is not a matter if you will be hacked it is a matter of when and am I prepared.In preparing for a crisis around cyber terrorism, know the law and which laws dictate how your company responds and to whom.
- Know what you want to say and how quickly you will respond after a reach.
- Know the influencers and key stakeholders to make sure you to not ignore key people in responding to an attack
It is no longer a matter of if -- It is now a matter of when will my computer system get hacked and how much information will be stolen or compromised. From HBO last week, to Sony last year. And before that Target, Home Depot, Qatar and the US Department of Justice All proving that no one is immune from your data or your customers data from being stolen.
But cyber terrorism is no longer limited to stealing your credit card number and other personal information. Cyber terrorists are breaking into your email and sharing salacious content. They are breaking into databases and publishing personal telephone numbers and they are breaking into websites to spread fake news. Not to mention hacking into utilities to shut down the grid. Next it will be hacking the system to pollute our food supply or release toxins into our drinking water.
Although it is inevitable that someone will break into your technological back door, you are still liability and several state and federal regulations require disclosure and reporting the breach to key stakeholders, not to mention having a plan in place before a crisis occurs.
While insurance companies now have cyber security policies and riders and there is plenty of (legitimate) information out there on how to limit your risk and exposure i.e. weak passwords, failing to update software, downloading software you shouldn’t, falling victim to phishing expeditions through emails and social media, giving permission to one thing but actually giving permission to others, there are pro-active steps you can take now on how to deal with a data breach once you become aware of it.
ADVICE: Know the law as to what and when to disclose a breach.
First, knowing the law is important in when you communicate with those affected by a breach and to whom you need to reach out to. Knowing the law will help you draft the key messages to the various stakeholders, to describe to them the process and the steps you have taken to address the issue,
Some data breaches may require disclosure to different federal agencies. For example,
- The Gramm-Leach-Bliley Act, a federal law) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
And these laws also require some form of disclosure:
- The Securities Exchange Commission (SEC)
- Federal Trade Commission (FTC, Section 5)
- The Health Insurance Portability and Accountability Act of 1996 (“HIPPA”)
- Fair Credit Reporting Act and the Children’s Online Privacy Protection Act.
TIP: Know which laws and regulations apply to your industry and to your company.
For example, the U.S. Department of Health and Human Services (HHS) has been issuing million-dollar-plus fines for failing to comply with the HIPAA privacy and security regulations.
Overall, the FTC encourages companies to build privacy protections and safeguards into every relevant portion of the business, from employee training and password maintenance to data collection and storage practices.
In addition to the federal government,
- 46 states; and,
- 3 US territories plus the District of Columbia require certain disclosures.
Link to state disclosure laws.
And here are additional regulations on disclosure by Baker & Hostetler.
SUGGESTION: Companies and industry groups should collaborate in responding to cyber attacks.
companies and executives would benefit from collaborating with each other on issues related to cyber security. This includes developing similar approaches and rules of engagement should a breach occur.
STRONG ADVICE: To limit risk, have a plan in place, including knowing what to say.
Companies can also expect to face civil liability should they experience a data breach with their customers and employees suffering financial damages. Insurance certainly helps, but companies should have a plan in place for dealing pro-actively with a potential breach and be able to respond immediately. This includes developing the messaging in advance and tailoring it to the specific situation.
Knowing the law and being familiar with your insurance policy and any clauses dealing with notice is also important. Having a policy addressing a breach and how that policy is communicated will also contribute to the messaging. And how quickly you respond and take of the situation will have a significant impact on how you emerge from this crises with your reputation unharmed.