Joshua Baker, Attorney at Law

Joshua D. Baker

Member

Posted on August 20, 2014

Some studies have found that a company’s average cost of a data breach can exceed $5,000,000.  This cost does not factor in the additional damage that a company’s reputation will suffer, along with loss of consumer confidence and trust, lost or decreased sales, and brand devaluation.

While the risk of a data breach can never be eliminated entirely, there are certain proactive measures that can be taken to minimize the potential risk.

First, the business should check with its insurance company or broker to make sure that it is covered in the event of a data breach.  Most, if not all, commercial general liability insurance policies exclude from coverage any loss resulting from a data or system breach.  Insurers do offer other products though that will cover the business in the event of a data breach.  Check with your insurance company to make sure that coverage exists.

Second, a company should consider doing its own privacy and security assessment before a breach occurs.  If the company does not have the internal resources to perform this assessment, there are many outside suppliers that now perform data assessments and audits.  These audits can identify potential weaknesses in a company’s security detail and make recommendations on how to improve or modify existing systems.

Third, the company should consider performing the assessment in conjunction with legal counsel.  Involving counsel in the process can strengthen the argument that the assessment is protected by the attorney-client privilege.  Counsel can also help the company navigate through the tangled patchwork of federal and state laws and regulations that may be impacted in the event of a data breach.

Fourth, the assessment of a company’s security systems and protocols will address unanticipated vulnerabilities.  While the company’s own information technology department might be aware of possible weaknesses in the company’s system, it is unlikely that the IT department will know about the potential vulnerabilities that might exist from vendors or third parties that the company regularly relies upon during the ordinary course of its day-to-day operations.

Fifth, performing a proactive assessment of a company’s systems in advance of a data breach will put the company in the best possible position to defend against the litigation and regulatory investigations that will likely follow after any breach of a data system occurs.  Performing an assessment before a breach happens can demonstrate that the company was acting in a responsible and reasonable manner at all times in protecting the personal information of its customers and clients.