Managing Data Breaches: Back to Basics

The biggest threat to the security of your company’s intellectual property is more than likely not a nefarious hacker donned in a hoodie, cleverly disguised and lurking in the deepest, darkest corner of the internet. In fact, the primary threat to your data security is more than likely the well-meaning, employee working diligently at their computer in plain sight.

"You’re not always dealing with bad guys. More times than not, it is an employee who made a mistake; an employee who maybe chose to send that wire transfer without verifying it was the right recipient. It’s not brute force attacks – not the high-tech breaches that get all the attention or are interesting. It’s people making mistakes inside your own organization," says Scot Ganow, senior counsel and co-chair of Taft Stettinius & Hollister LLP’s privacy and data security practice.

A former chief privacy officer, Ganow leverages more than 10 years of management and Taft practice.  Ganow expertly assists clients in all aspects of the data life cycle, including policy development, implementation assessment and training; identifying, evaluating and managing privacy and security risks; third-party management, including onward transfer agreements and audits; and data breach and incident response management and counseling. Ganow also assists clients in dealing with a variety of data governance regulations, including HIPPA, GLBA, FCRA and state laws governing personally identifiable information (PII). He counsels clients on compliance with various security standards, including PCI-DSS for credit card data, ISO and NIST. He also has experience with intellectual property matters as a patent attorney, and counsels clients on general business law matters.

And in the event a company is dealing with bad guys?

"A lot of smaller companies and organizations like to say, ‘Come on, this doesn’t really apply to me – I’m a five-person shop in  Mayberry, Ohio – nothing happens in Mayberry, Ohio," says Ganow. "You need to understand that you may indeed be a small company in Mayberry.  Maybe even a small company with just one big contract or client. Perhaps that one big contract is with the Air Force base on the other side of town or a large auto manufacturer. Often that big client is the attacker’s target, not you. However, because you are small and have not properly developed your data governance and information security program, you are a vulnerability and an easy, open door to get to that target because you share communications or even a network or portal with that huge client.   

"So, data security is relevant – whether in Dayton, Cincinnati or Louisville," he continues. "You may not be the target, but you are the way in. That’s why understanding your role in the data ecosystem is very important, and you at least have to manage your piece of that. Maybe you can deal with losing data or time to a security incident, but can you lose that big client?"

Can Your Company Absorb a Data Breach?

Data breaches are expensive, says Ganow. People focus on the legal liability of dealing with a breach, but often a company spends and loses more money in the response and investigation before a single notice is ever mailed.  And the smaller businesses may have to shut their doors because they weren’t prepared for a data security incident.

"For a small shop, a data breach response can be a month of work, and that’s a month dedicated to lawyers and forensics and letters and PR – and all that time you’re not working on your widgets. And that is very difficult for businesses to sustain and survive overall."

Fortunately, there are several steps the smaller companies can take to help themselves and their employees avoid making the kind of mistakes that can cause a data breach, Ganow points out. For starters, get your arms around your data. "Know which data you have and why.  Know where you house and process such data, both in the digital and physical world.  If you can’t do those things, you can’t properly safeguard that data (much less tell the world you do). Indeed, knowing those basics can mean the difference between hours, days or months of an investigation.

And when it comes to putting those administrative, technical and physical safeguards in place, Ganow says you just need to be reasonable. "I tell my clients, ‘Look, you don’t have to outrun the bear; you just have to outrun the next guy. So, if your passwords are strong – better than password123 or qwerty or 12345 – and you lock your doors and cabinets, you have automatic virus protection and you encrypt your confidential information – which are all things any company can do anymore – you are already ahead of the game," he says. "It’s all a matter of scale and risk and doing what’s reasonable for you and the type of data you process. And those little things I’ve talked about that sound so small can make all the difference."

Making Widgets? Secure Data Still Matters

All businesses have data to be concerned about when it comes to security, Ganow emphasizes.

"Manufacturers may think, ‘We’re manufacturers; we make widgets, we make products – we don’t have data, Ganow emphasizes. But of course you do – you have customer data, employee data, not to mention proprietary information and intellectual property. You have loads of information that is valuable. You can’t just think about security in terms of confidentiality. Yes, it’s bad if your data gets stolen or taken, but there are three parts to security. It’s a triad – one is confidentiality, but the other two parts are the integrity of the data and the accessibility of the data.

"So, when I talk to my manufacturing clients and my supply chain clients, I say, ‘Fine, maybe you don’t have as much personally identifiable or regulated data as other companies.  However, let me ask you, what is the impact if you lose access to or control of your supply chain for the next three days?" Ganow continues. "What if your system is taken offline by a ransomware attack and you lose three days of productivity and you’re a 24-hour shop? Does that mean something differently to you then?’ Because security plays into that as well."

Your data might be confidential, for example, but it’s encrypted and you can’t get to it because the system has been locked down and you have no means by which to access it.

"These are all aspects that are important in helping our clients think realistically about data security and why they should be concerned about it," Ganow says. "If you aren’t concerned about the privacy or confidentiality aspects of your data, then you need to think about the money out the door in the form of opportunity costs and time lost."

Back to Basics

Technology may change, and how companies use data may change, but the basic tenets of sound and simple data governance and security still apply, Ganow says.

"Policy, procedure and training your people still have the biggest impact on your data security."  Those principals have been around forever, and they really don’t change. Do you give notice to people how you are going to use the data, whether they are customers or employees? Do you have consent or permission to use the data? Do you use the data in accordance with those permissions? Do you keep it secure? Do you give it to the people with the means to solve problems if they arise? You just need to stop yourself and ask, ‘What data do we need, and why do we need it? (The best security is not having the data in the first place).  How are we getting it? Are we allowed to have it? And do we use it in the way it is intended?’ If you can show all that, you’re generally going to comply and meet the requirements of the law, as well as have a good story to tell when, not if, an incident rocks your world."

Taft Stettinius & Hollister LLP has offices in Chicago, IL; Cincinnati, Cleveland, Columbus, Dayton, Delaware, OH; Indianapolis, IN; Covington, KY; and Phoenix, AZ. For more information, visit www.taftlaw. com/.