Tips for Protecting Your Data

20 January 2015 Privacy, Cybersecurity & Technology Law Perspectives Blog

With the global economic cost of cybercrime totaling more than $400 billion per year and breaches affecting companies ranging from retailers (e.g. Target, Walmart and Staples) and restaurants (Dairy Queen and Jimmy John’s) to tech companies (Snapchat), banks (JPMorgan), electronics and entertainment enterprises (Sony Corporation) and even NASA, companies of all sizes across all industries should be thinking about how to better safeguard their data.

Here are some tips from a few security pros: Ken Leeser, Kaliber Data Security; Ken Levine, Digital Guardian; Ralph Rodrigues, Delfigo Security; Danielle Sheer, Carbonite and Foley Partner Aaron Tantleff who spoke on data security at the 2014 FOLEYTech Summit

Focus on the Data

Conduct an internal study of the data your company maintains then trace its path from initial resting point, through paths of transit, to its end point. Once you can identify the data and its intended path, you can build an imaginary fence around it and modify its pathways, building a secure ecosystem around the data.

Think about the types of data you are collecting. Do you need to collect and store it? You can’t have a data breach if you don’t store any data.

Check the Box

While there is no one generally applicable data security law, many states have their own forms of regulation. Pick a law, such as the Massachusetts data security regulations, then create an actionable plan to ensure your company fully complies with the regulations. If necessary, use security vendors to help you interpret the regulations, assess your level of compliance and walk you through the steps many other companies have taken.

Make sure you are aware of any industry-specific standards that may apply to your company: it may not be enough to check the box if all of your competitors follow a more rigid standard. Be sure to document everything you do and why you do it, but remember that once you document something, including any reports analyzing your level of compliance, make certain you act upon it and do not ignore it.

While compliance with regulations and industry standards will not insulate your company from liability, it will likely reduce such liability and will certainly make your customers feel better about giving you their business.

Create a Culture of Education and Compliance – Start from Day One

Once you’ve brought the company in compliance with applicable regulations and industry standards, think about what else you can do to further develop your security ecosystem. Listen to where hacks and breaches are occurring elsewhere in the news and think about whether you are vulnerable to a similar breach.

Especially for smaller or younger companies, building a culture of education and compliance from day one is critical. Incorporate data security into your employee onboarding procedures, continually update and send reminders of your policies, and put in place policies and tools that steer user behavior, such as implementing certain password requirements and alerts when non-desirable behavior occurs (i.e. are you sure you want to download data to USB drive or include that external email address?). Finally, create a security email alias and a security council including cross-functional teams that meets weekly. Start the conversations early and keep them going.

For more tips, check out the following article by Foley Partners Susan Pravda and Gabor Garai: Big Companies Should Think and Act Like Startups to Keep Data Safe.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services