Insurance and Corporate Vigilance Against Cyber Breaches: 5 Steps to Take in the Absence of Cross-Industry Protocols
Despite the lack of bright-line procedures, there are five risk reduction measures a company may consider implementing to reduce its potential exposure to cyber breaches, strengthen its security protocols, and have some degree of protection in place in the event a lawsuit for a cybersecurity breach ensues.
March 23, 2018 at 02:59 PM
6 minute read
The Federal Trade Commission (FTC), whose mission includes protecting consumers, has not yet issued specific rules that companies must follow to safeguard their clients' confidential proprietary information that is digitally stored on company computers, iPhones, and other electronic devices. The absence of clearly stated cybersecurity metrics can expose a company to hackers and cyber breaches, which can land a company in litigation.
Despite the lack of bright-line procedures, there are five risk reduction measures a company may consider implementing to reduce its potential exposure to cyber breaches, strengthen its security protocols, and have some degree of protection in place in the event a lawsuit for a cybersecurity breach ensues.
|Step 1: Improve and Reinforce Network Security Risk Management Measures
No matter a company's size, there are a few basic network security measures the company can implement. For example, if a company controls access to its computer system, in addition to requiring its employees to have complex passwords consisting of at least ten characters and that they must change every 90 days, that company can also install anti-virus/Malware protection and intrusion detection software on all of its equipment that has internet access. A company may also direct employees to use uncommon names, words, and dates in their passwords, and to incorporate symbols, numbers, and capital letters throughout their passwords, not just at the password's beginning and end. Also, while a company may have a data retention and destruction system in place for physical data, it may want to consider having a similar system in place for electronic data as well.
|Step 2: Put in Place or Review the Existing Network Security Policy
If a company does not already possess a written physical and network company-wide security policy, it is good to have one drafted and put in place. The company's employees can then be trained at least annually regarding the policy's contents so that they become familiar with it and can institute as part of their daily routine the safety measures and precautions detailed therein.
If the company is financially able to do so, it may want to consider hiring an information technology specialist who is responsible for that company's information technology security. It may also want to consider implementing a two-factor authentication system as a means of system protection, even when an employee's password has been compromised. For this dual authentication system, an employee's password and one additional piece of information are needed for entry into the company's computer system. This second piece of information can be sent via phone, token, or other device, and can consist of a randomly-generated number or code.
|Step 3: Encrypt Data Stored on Devices in Addition to Computers
In addition to desktop computers, employees' laptops, mobile phones, and flash drives can also contain clients' confidential proprietary information. Encrypting this information is one step an employer can take to reduce its electronic data breach risk exposure. Encrypting personal information that is “at rest” within computer databases or is “in transit” via e-mail or other electronic communications programs adds another layer of protection against cyber breaches.
|Step 4: Be Vigilant About Implementing Employee Controls
A company needs to be vigilant at all stages of dealings with potential, current, and departing employees. It goes without saying that during the on-boarding process, a company should conduct basic background checks on all of its potential employees. Once a person officially becomes a company employee, they should only be able to access personally identifiable confidential information on a business “need-to-know” basis. When an employee leaves the company, access to the company's computer system and user accounts should be discontinued immediately.
A company also needs to teach its employees to protect their laptops and other company-related mobile devices as they would cash. This means not leaving laptops unattended at airports, hotels, the local coffee shop, or elsewhere. Keep a watchful eye on these devices at all times.
|Step 5: Invest in a Company Cyber Liability and Data Security Insurance Policy
Even if a company takes the above steps, a company might consider purchasing a cyber liability and data security insurance policy in the event that a cybersecurity breach nevertheless occurs. In its role as the insured, a company that has this type of policy in place has an agreement with the insurance carrier that it will defend the company in certain types of lawsuits and proceedings and will pay for certain losses the company sustains as a result of an unfavorable determination in such lawsuits. These policies typically also provide that the insurer will reimburse the company for certain credit/payment card industry fines and penalties it may incur as a result of the cyber breach. Given the large costs that can potentially be involved for each of these, investing a in a cybersecurity policy is a step that companies may consider to ensure they receive these additional protections.
|Conclusion
The centrality of data to contemporary business makes preventing data breaches critical. Regulatory standards are starting to emerge. In addition, implementing the precautionary measures such as the ones discussed above can help companies take proactive steps to minimize their risk for cyber attacks and breaches. These measures can also position a company so that it improves its chances of withstanding a lawsuit, reduces losses that may accompany such proceedings, and implements certain safeguards that limit its chances of becoming the next headline.
Kimberly E. Diamond is an Adjunct Professor of Energy Law at Fordham Law School in New York City with 20 years of transactional experience working with large banks, companies, funds, and other businesses to help minimize their risks in complex business transactions. She is Chief Executive Officer of Boaz Energy Group, specializing in risk management, cyber liability, and data security insurance. She can be reached at [email protected].
Paul M. Gelb has 20 years of business litigation experience and provides legal representation to companies in real estate, data use and privacy, technology transactions and e-commerce. Mr. Gelb is Counsel in the Los Angeles office of Drinker Biddle & Reath. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
A Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute read
Three Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
