Security and data breaches don’t favor one organization or industry over another, and are taking place every day. Companies should consider the “how” of a breach (as opposed to the “who”) to evaluate their exposure to a similar event.
Over the past two years, retail organizations have been targeted heavily due to the volume of information in their care, custody and control, including credit card information, confidential information for loyalty programs, and employee data. No company is immune — if you rely on technology to run your business or you store customer or employee data, you are exposed to network and privacy risk.
Until recently, many thought data and network security risk were trivial compared to other threats such as theft, slip and falls, and workplace violence. But with the compromising of data and computer systems occurring at much greater frequency, it’s one risk you don’t want to underestimate. Reputational harm stemming from a poorly managed breach can be catastrophic.
Five myths you can’t afford to believe:
There are 47 states and several U.S. territories that have enacted security breach notification legislation in response to recent breach events. In New Jersey, a breach is defined as an unauthorized access to electronic files, media or data with personal information (PI) that compromises security, confidentiality or integrity of PI unless investigation finds misuse of PI is not reasonably possible (must retain documentation in writing for five years). New Jersey’s definition of PI goes beyond an individual’s name, social security and account numbers to also include a username or email address in conjunction with a password or security question/answer that permits access to an online account. It also includes dissociated data that if linked, would constitute PI if link were accessed.
Following discovery of an incident and an investigation that confirms the misuse of PI was reasonably possible, the first points of contact are the Division of State Police in the Department of Law & Public Safety. New Jersey law then requires a business or state agency to notify any New Jersey resident who’s PI is reasonably believed to have been acquired in the most expedient time possible and without undue delay. For incidents affecting more than 1,000 residents, the state’s Consumer Reporting Agency is another party to include in the notification list.
Readiness is the most important step. Businesses can’t afford to “figure things out” after a breach occurs. It’s critical to have a ready-to-use incident response plan, an on-call forensics expert and a privacy attorney on retainer. Then, when a potential issue is identified, an organization is ready to mitigate the effects of the breach and deter any potential litigation.
It is essential for organizations to adopt policies and procedures addressing information security, along with a concrete, comprehensive plan for incident response. Consider these questions to create “peace of mind”:
Meredith Schnur is the Technology Privacy and Network Risk practice leader for Wells Fargo Insurance. She has 20 years of experience providing consultative services, market negotiations, policy analysis and placement, policy administration, and claims advocacy services in the areas of professional and technology errors & omissions, network security and privacy risk. She can be reached at (973)437-2344 or [email protected]. License #0D08408.
ALSO ON THE NJBIZ “INDUSTRY INSIGHTS” BLOG: