The Basics: Why Data Security Matters | Upsize Minnesota | November/December 2023

In today’s digital age, the personal and sensitive consumer information organizations store is the single greatest target for bad actors. Breaches can financially cripple unprepared small businesses. Business leaders must understand the contour of data privacy laws and best practices to safeguard this information.

The importance of data privacy

“Data privacy” describes the protection of personal and sensitive information from unauthorized access, use or disclosure. This includes social security numbers, financial records, health information and other details that could identify or harm individuals.

Safeguarding such information is vital. A data breach may trigger legal consequences and reporting obligations which could divert internal resources and cause significant financial losses including fines, legal fees and compensatory restitution and nonmonetary damages, including reputational harm.

Laws and regulations governing data privacy

Numerous state, federal and international laws govern data privacy and security. These laws are rapidly evolving and broadly applied to large and small businesses. Because of this, it is important to stay abreast of new laws. Some notable ones include:

• California Consumer Privacy Act (CCPA) applies to entities doing business in California that meet certain gross revenue requirements and who buy, sell or share personal information of 100,000 or more California residents. The CCPA grants California residents certain rights and controls over the use of their personal information.
• Health Insurance Portability and Accountability Act & Health Information Technology for Economic and Clinical Health (HIPAA/HITECH) safeguards patients’ protected health information by requiring covered entities and their business associates to comply with certain health record security standards and sets out health information use and disclosure requirements.
• The Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) requires companies that offer consumers financial products or services such as loans, financial or investment advice or other consumer-facing financial products to explain their information-sharing practices and to implement specific security practices to safeguard sensitive information.

Do these laws apply to my business?

Data privacy laws and regulations apply to businesses that collect, maintain or use sensitive consumer information. All businesses should understand data privacy industry standards and what laws and regulations may govern their internal policies and procedures for safeguarding such information.

Best practices for a small business?

There is no single approach to implementing a data privacy and security management system. The appropriate safeguards depend upon the size of the organization, the kind of information gathered and used, and the laws applicable to your organization. With that in mind, here are a few key concepts:

• Encryption: Encrypt sensitive data during transmission and storage to prevent unauthorized access.
• Access control: Implement strict access controls to limit who can access sensitive data and regularly update these permissions.
• Test, monitor and audit: Conduct regular security penetration tests, audits and assessments to identify areas for improvement.
• Data minimization: Collect only the data necessary for business purposes and delete data no longer needed. Implement data destruction policies and ensure that data is retained consistent with business needs and applicable law.
• Employee training: Train employees on data security protocols and practices to reduce human error.
• Incident response plan: Develop a clear and comprehensive incident response plan to address data breaches promptly and effectively.

Biggest threats to my business’ data security?

• Cyberattacks: These encompass phishing, malware, ransomware and distributed denial of service attacks.
• Third-party vulnerabilities: Vendors, outsourcing agencies and other third-parties can introduce vulnerabilities to your systems and customers. Review vendor contracts to ensure there are contractually obligated security standards and notification requirements. Watch for indemnity provisions attempting to shift the financial burden of a breach to your business!
• Human error: Negligence, such as misconfigured cloud storage or accidentally sharing information, remains common.
• Advanced persistent threats: These are long-term, targeted attacks aimed at stealing sensitive data or disrupting operations.

What should I do if my business is breached?

A well-prepared response is generally required and can mitigate financial losses to your customers and your business. When a breach is discovered, be prepared to take these steps:

• Activate your incident response plan: The longer you wait, the larger your potential consequences.
• Secure your operations: Isolate and secure your systems from further access and fix vulnerabilities that may have caused the breach. Do not destroy evidence that may assist in locating the bad actor or mitigating the damage. If you don’t have the internal expertise to secure and mitigate the data breach, contact an area expert to do so.
• Contact an attorney. Contacting an attorney with knowledge of cybersecurity laws will ensure you follow the appropriate and necessary processes required when responding to a breach.
• Contact law enforcement. The more quickly you contact law enforcement, the more likely you are to locate the bad actor and potentially recover any financial losses.
• Investigate the breach: After you have secured the data and stopped the breach, investigate the scope and cause of the breach.
• Mitigate damage: Take steps to rectify vulnerabilities and prevent future breaches.
• Notify affected parties: Depending on the nature of the breach and relevant laws, you may want or be required to notify individual consumers affected by the breach.
• Communicate transparently: Keep stakeholders informed about the situation and actions taken to address it.
• Improve security measures: After you have contained and responded to the breach, improve security protocols and update policies and procedures based on what you learned.

Jessica Klander is a shareholder with Bassford Remele and the co-chair of the Consumer Defense practice group. Her practice focuses on defending lawyers, financial entities, healthcare providers, and other organizations against consumer financial protection claims, malpractice, and professional liability claims. In particular, she counsels organizations on privacy, data security, and governmental and regulatory affairs. She assists with advising and representing health care organizations, collection agencies, and law firms against state and federal regulatory inquiries, civil investigative demands, and consumer lawsuits.

Bryce Riddle is an attorney with Bassford Remele. He focuses his practice in the areas of complex commercial litigation, data privacy and cybersecurity, construction, general liability, and tort litigation. He has significant class action experience.

Link to article