Data breaches, their prevention and responses to them are an IT problem, but there are other areas of a business that must prepare. A company’s legal department must be more invested with data breaches—by reviewing contracts, amending them if needed and participating in a breach response team.
These days, almost all contracts need language that defines each party’s responsibilities in preventing data breaches and responding to them. Failing to have such language invites finger-pointing and lawsuits when breaches occur. The contract language around data security must be in alignment with the company’s internal data security policies and with any relevant regulatory requirements (such as HIPAA for healthcare data) and third-party standards (such as PCS-DSS for credit card data).
Not all of a firm’s contracts contain such language, and those that do may be out of date. Forward-thinking legal departments have their contracts organized using a contract management software system that enables them to search through and quickly identify which contracts contain no data security provisions and which need to be amended when policy or regulatory requirements change. Companies without such systems face a more laborious task of reviewing each contract manually—and doing so repeatedly, given the fast-changing regulatory landscape.
Breach Response Planning
A disaster recovery plan, which is executed when a disaster such as a fire, earthquake or flood disrupts the operations of the business, identifies a disaster response team. This team comprises representatives from each part of the business and defines each member’s roles and responsibilities during a disaster.
Similarly, businesses should have data breach response plans and response teams. Team membership will vary from one firm to another, but typically involve the IT, accounting, public relations and legal departments, and the company’s senior leadership. These response plans outline the steps each team member must take to assess the scope of the incident, prevent further damage, investigate the cause and communicate with the media, customers, suppliers, law enforcement and (if applicable) shareholders.
The legal department’s role is to assess the firm’s contractual obligations regarding data breaches and ensure the company responds accordingly. Among the actions the legal department takes will be to determine, for each contract, whether the current data breach meets the definition in the contract and warrants action.
Disaster recovery planning experts recommend that disaster recovery plans be reviewed and tested regularly; testing includes having all the team members respond to a simulated disaster. The same approach should be taken for data breach response plans to keep strategies up to date and eliminate gaps or duplication of effort.
Data breaches—both those that involve hacking in from outside, and deliberate or accidental breaches from within—are on the increase, and it is highly likely that all companies, large and small, will experience sort of breach. Those that are not prepared may not survive to do it right the next time.
Written by Desh Urs
Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.
As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.
Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.