By: Kamron Abedi
Every day businesses have their data compromised due to hacking, natural disasters, and human error. In 2017, there were 1,579 publicly recorded data breaches effecting 1.9 billion consumer records and cost the businesses involved an average of $3.62 million in damages. Fires, hurricanes, and other similar natural disasters destroy paper files and servers that store data. Finally, the leading cause of data loss is human error. People make mistakes and delete massive amounts of data accidentally. These incidents can happen to any business, large or small, so it is important to take the necessary steps to make sure your data is secure and backed up. It’s important to know what to do from a legal perspective when this happens. Below are four steps to take to ensure that your business’ data is protected from hacking, natural disasters, and human error, together with comments from a legal perspective.
Determine What Data Needs to be Secured
Most businesses have employee records, client records, trade secrets, proprietary information, financial records, and marketing information that need to be secure in order for the business to perform successfully and maintain compliance with privacy laws. For example, employee records relating to your employees’ health are protected by HIPPA, and disclosure of those records come with penalties and fines for your business. Trade secrets and proprietary information are crucial to the success of your business and if those records are compromised it can be financially disastrous for your business. Even though trade secrets and proprietary information are protected by statutes, once they are out, there is no going back. Therefore, it is important that you identify the information that your business needs to protect before deciding how to protect that information.
Create a Lean Data Retention Plan
Once you have identified the type of data that your business needs to retain and secure, implement a plan to keep only the necessary data and purge all unnecessary data from your business’ files and servers. Keeping unnecessary records and data will only make it more difficult and costly to secure and backup your business’ data. An effective data retention plan ensures that your business’ data is safe and allows your business to focus as little energy and resources to data retention as possible. When the data retention plan is in place, make sure that all of your employees are trained and understand the process.
Backup and Secure the Data
It is important to backup your data in multiple locations in order to ensure that your data is not lost completely if one of your storage locations is compromised. If your business has paper files, it is imperative that you electronically backup all of your important or confidential files. A simple pipe burst or even a fire in a neighboring building can destroy paper files, and without a digital backup, they are lost forever. Depending on the amount of data your business needs to backup, you can use a flash drive, external hard drive, cloud backup, or other online data management service. Do not store your backup of your files in the same place where you keep the primary copy of the files as a natural disaster or accident can destroy both copies of your data.
Next, ensure that your data is secured, both in your primary storage space and your backup storage space. When keeping paper files, ensure that you keep them in a locked space and only grant access to the employees that absolutely need access to the records. In the case of a cloud backup or online data management service, ensure that the company you are using to store your has an effective data security plan that will keep your files encrypted and out of the hands of hackers.
Privacy law Updates and Changes
Finally, be sure to keep up with updates in privacy laws and changes in your business’ data retention needs. A data security plan is not effective unless it adapts to the growth of a business and any new regulations that effect the business.
What to do if your data has been breached?
In all states of the USA, there are data breach laws. There are also federal regulations that apply. These laws require businesses to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information. It’s important to know when and how you are required to inform individuals who have been impacted. In some states, you are required to notify individuals within 45 days. Most states also require written notice. While it would be impossible to sum all of this up in one short blog post, you can see the complete state-by-state data breach guide here.
Note that if you do business in Europe, the GDPR has laws that apply to you as well. See Inside Entrepreneurship Law blog post: What Every Entrepreneur Needs to Know About the GDPR.
In closing, if you have had a breach, contact an attorney who is familiar in this area to help you immediately. Time is of the essence when it comes to compliance in this area.
Kamron Abedi, at the time of this post, is a third year law student at Penn State’s Dickinson Law. He is originally from Southern California and will start his legal career at Stevens & Lee in Reading, PA as an associate in their Corporate practice group. He is also the Founder & President of the Business Law Society at Dickinson Law.
Sources:
https://www.ftc.gov/news-events/blogs/business-blog/2018/09/your-business-prepared-emergency-your-data
https://www.ispartnersllc.com/blog/5-steps-developing-data-retention-policy/
http://www.govtech.com/blogs/lohrmann-on-cybersecurity/new-guide-on-state-data-breach-laws.html
https://www.computerweekly.com/news/450297535/Human-error-causes-more-data-loss-than-malicious-attacks
