It seems that the headlines every year become more driven by cyber incidents. The more accustomed we become to those headlines, the more normal these incidents seem. For small businesses, that creates a unique opportunity: planning that safeguards their information and that of their customers may also keep those companies out of the headlines if they ever suffer an incident. In the information security arena, good planning is good business.

The other lesson to come from Equifax and other high-profile breaches is this: Your company, meaning you, must care about information security and promote the value of information security at all levels. Employees need to understand that the company requires sensitivity to customer confidentiality at all levels. Executives and partners need to understand that they set the example and the tone for whether the company takes security seriously and that their behavior and policies will be the focus of great attention, if the company ever suffers a serious cybersecurity event. Create a “culture of confidentiality” to protect your own assets and those of your customers.

Public estimates of the Equifax hack put the cost to the company and its insurers at hundreds of millions of dollars. Of course, most companies don't hold information worth that much money. But every business is sensitive to business interruption, loss of confidential information, potential loss of customers or goodwill, the need to alert state authorities and national credit bureaus and other costly problems. Add in the expenses of counsel, PR firms and other response experts, and it is easy to see how a data incident can become a catastrophic occurrence, even if the information involved does not create liability to third parties.

Even a small internal incident can be costly and disruptive. Fortunately, there are several steps that any company can take. By using the below recommendations, your company can make itself far more secure against an attack than many other companies.

Data Audit

A “data audit” may sound like a large undertaking, but it doesn't have to be. At its simplest, a data audit might involve simply asking questions about what kind of information flows into your business and across your company networks. Knowing what you have can help you identify whether you have any duty to third parties to keep that material secure or to notify them if it ever gets compromised. Having this information in hand will prepare you for discussions with your insurer, your lawyers and other outside suppliers about your risk profile and what measures are appropriate for that particular level of risk.

Having this information recorded also will save you valuable time in case of an emergency, when one of the first steps is to assess any third-party liability you may face.  

Incident Response Plan

One step beyond knowing what you have, an incident response plan (IRP) lets you set forth in advance what you will do if your identified data assets are compromised. An IRP can be put into action, regardless of the nature of the eventual problem, meaning that while you work to discover whether you have been hacked or have a simple employee mistake on your hands, your IRP will give you a clear path for addressing secondary questions: do you need an outside IT expert, legal representative, insurance agent, PR firm, or other supplier? Who are those people, and how do you reach them?  How do you let appropriate internal stake-holders know of an emergency? These are some of the kinds of questions an IRP answers, in advance.

Employee Training

If your company has a policy manual, taking the time to update computer and related policies can be an effective tool in raising awareness, cultivating good employee habits and showing your diligence, if you ever have to explain your level of preparedness.

How you train your employees gives you the greatest opportunity you will have in terms of a culture of confidentiality.

IT Practices

There are multiple, easy ways to keep your network more secure than most. Use a firewall and anti-virus protection, and update those regularly. Require unique passwords and keep a list of which employees are authorized to access what accounts and materials. Have an on-boarding and exit process in place for employee devices and accounts. Keep sensitive material segregated on your network, either by password or by physical separation from other material.

The list of easy steps from an IT perspective is almost endless, but the ones you adopt should support (not hinder) your work while still promoting a culture of confidentiality. 

Remember Attorney-Client Privilege

Finally, a word about privilege: The planning process will almost certainly involve facing the particular risks your company faces and making decisions about which risks you have the resources to address. Those decisions are not privileged on their own. This means that the choices you make in advance are discoverable in case of a later investigation, lawsuit or other post-incident proceeding. Any plaintif's lawyer will love poring over your company's documented decisions about which problems not to fix. This is a perverse result of planning and can be managed, just like many other risks can. Having your lawyer involved in the planning process can help shield some of your decisions from later discovery and thus from being used against you.

Conclusion

There are many ways to improve your company's information-handling practices and multiple reasons to strive for security. Showing that you take these issues seriously, however, will be the most important way to shore up the story you tell to investors, to plaintiffs, to regulators—to anyone who wants to know “why didn't you do X?”  

Mitzi Hill is a partner at Taylor English, where she has worked on evolving technology issues for 20 years, largely with a focus on how new technologies affect consumers, commercial intellectual property strategy and commercial compliance. Her practice focuses on data security and privacy, entertainment and media matters, and technology licensing and development.