With the recent uptick of high-profile data breaches and lawsuits being filed as a result by both employees and consumers as a result, every business should take a fresh look at its information security policies and data breach response plans with two thoughts in mind: compliance with applicable laws, and limiting liability in the event of litigation. Cybersecurity is a critical and timely issue for all businesses. If your company has employees and pays them or gives them benefits, then your company is maintaining their personally identifiable information and faces liability in the event of a data breach.
Currently, there is no comprehensive federal law that sets forth a uniform compliance standard for information security best practices or data breach response plans. Companies operating in the U.S. must comply with a patchwork of 47 different states’ laws that set forth a company’s obligations in the event of a data breach. In the wake of several high-profile data breaches, state legislators in the U.S. have been updating these state laws in the past few months, adding new requirements.
In addition to dictating how and when a company must respond in the event of a data breach in which personal information has been compromised, a number of these laws also contain substantive requirements about cybersecurity measures a company must take generally. Add into this mix that a U.S. Court of Appeals agreed with the Federal Trade Commission (FTC) that it has the right to file lawsuits against businesses that it deems have lax information security protocols – without informing companies in advance of the standard to which they will be held.
Against this backdrop, Seyfarth attorneys Karla Grossenbacher and John T. Tomaszewski provided a high-level discussion on how businesses can structure an information security program to comply with applicable law and minimize liability – since waiting for a breach is not an option. They discussed, from a legal perspective:
- Essential components of a comprehensive information security policy;
- Key elements of a data breach response plan including strategies for state law compliance; and
- Best practices for dealing with third party vendors that store personally identifiable information for your company.