The Federal Trade Commission (FTC), whose mission includes protecting consumers, has not yet issued specific rules that companies must follow to safeguard their clients' confidential proprietary information that is digitally stored on company computers, iPhones, and other electronic devices. The absence of clearly stated cybersecurity metrics can expose a company to hackers and cyber breaches, which can land a company in litigation.

Despite the lack of bright-line procedures, there are five risk reduction measures a company may consider implementing to reduce its potential exposure to cyber breaches, strengthen its security protocols, and have some degree of protection in place in the event a lawsuit for a cybersecurity breach ensues.

Step 1: Improve and Reinforce Network Security Risk Management Measures

No matter a company's size, there are a few basic network security measures the company can implement. For example, if a company controls access to its computer system, in addition to requiring its employees to have complex passwords consisting of at least ten characters and that they must change every 90 days, that company can also install anti-virus/Malware protection and intrusion detection software on all of its equipment that has internet access. A company may also direct employees to use uncommon names, words, and dates in their passwords, and to incorporate symbols, numbers, and capital letters throughout their passwords, not just at the password's beginning and end. Also, while a company may have a data retention and destruction system in place for physical data, it may want to consider having a similar system in place for electronic data as well.

Step 2: Put in Place or Review the Existing Network Security Policy

If a company does not already possess a written physical and network company-wide security policy, it is good to have one drafted and put in place. The company's employees can then be trained at least annually regarding the policy's contents so that they become familiar with it and can institute as part of their daily routine the safety measures and precautions detailed therein.

If the company is financially able to do so, it may want to consider hiring an information technology specialist who is responsible for that company's information technology security. It may also want to consider implementing a two-factor authentication system as a means of system protection, even when an employee's password has been compromised. For this dual authentication system, an employee's password and one additional piece of information are needed for entry into the company's computer system. This second piece of information can be sent via phone, token, or other device, and can consist of a randomly-generated number or code.

Step 3: Encrypt Data Stored on Devices in Addition to Computers

In addition to desktop computers, employees' laptops, mobile phones, and flash drives can also contain clients' confidential proprietary information. Encrypting this information is one step an employer can take to reduce its electronic data breach risk exposure. Encrypting personal information that is “at rest” within computer databases or is “in transit” via e-mail or other electronic communications programs adds another layer of protection against cyber breaches.

Step 4: Be Vigilant About Implementing Employee Controls

A company needs to be vigilant at all stages of dealings with potential, current, and departing employees. It goes without saying that during the on-boarding process, a company should conduct basic background checks on all of its potential employees. Once a person officially becomes a company employee, they should only be able to access personally identifiable confidential information on a business “need-to-know” basis. When an employee leaves the company, access to the company's computer system and user accounts should be discontinued immediately.

A company also needs to teach its employees to protect their laptops and other company-related mobile devices as they would cash. This means not leaving laptops unattended at airports, hotels, the local coffee shop, or elsewhere. Keep a watchful eye on these devices at all times.

Step 5: Invest in a Company Cyber Liability and Data Security Insurance Policy

Even if a company takes the above steps, a company might consider purchasing a cyber liability and data security insurance policy in the event that a cybersecurity breach nevertheless occurs. In its role as the insured, a company that has this type of policy in place has an agreement with the insurance carrier that it will defend the company in certain types of lawsuits and proceedings and will pay for certain losses the company sustains as a result of an unfavorable determination in such lawsuits. These policies typically also provide that the insurer will reimburse the company for certain credit/payment card industry fines and penalties it may incur as a result of the cyber breach. Given the large costs that can potentially be involved for each of these, investing a in a cybersecurity policy is a step that companies may consider to ensure they receive these additional protections.

Conclusion

The centrality of data to contemporary business makes preventing data breaches critical. Regulatory standards are starting to emerge. In addition, implementing the precautionary measures such as the ones discussed above can help companies take proactive steps to minimize their risk for cyber attacks and breaches. These measures can also position a company so that it improves its chances of withstanding a lawsuit, reduces losses that may accompany such proceedings, and implements certain safeguards that limit its chances of becoming the next headline.

Kimberly E. Diamond is an Adjunct Professor of Energy Law at Fordham Law School in New York City with 20 years of transactional experience working with large banks, companies, funds, and other businesses to help minimize their risks in complex business transactions. She is Chief Executive Officer of Boaz Energy Group, specializing in risk management, cyber liability, and data security insurance. She can be reached at [email protected].

Paul M. Gelb has 20 years of business litigation experience and provides legal representation to companies in real estate, data use and privacy, technology transactions and e-commerce. Mr. Gelb is Counsel in the Los Angeles office of Drinker Biddle & Reath. He can be reached at [email protected].