Saving private data: information security musts

“All companies that deal with personal information have an obligation—as a matter of law—to prevent security breaches,” said Luis J. Diaz, partner with Gibbons, PC, in New Jersey, in “Saving Private Data – What You Don’t Know About Information Security Could Kill Your Client’s Business," a recent continuing legal education program that offered guidance on developing an information security program.

The number of information security breaches in the United States has been growing, warned Diaz. And while there is no single regulation that governs a company’s obligation to provide security for the sensitive data it collects, there is a growing patchwork of international, federal and state laws—such as the Federal Trade Commission Act and Gramm Leach Bliley Act—that obligate a company to provide safety measures. A list of some of the other relevant regulations is available in course materials here.

The consequence of deficient security is significant. Panelist Paul Devinsky, partner with McDermott Will & Emery LLP in Washington, D.C., shared the example of BJ's Wholesale Club, one of 20 companies targeted by the Federal Trade Commission’s recently-formed division of piracy and identity theft for its inadequate protection of customer data.

In addition to FTC directives to improve its security, BJ’s Wholesale Club must invest in third party compliance audits every two years until 2025—at a cost of approximately $2.5 million.

Back to top

The FTC is not looking for perfection, said Devinsky, and ensuring the protection of data is not a one-size-fits-all approach. While all firms handling sensitive information must implement measures to prevent and manage information breaches, the level of necessary security varies from company to company, depending on the amount and type of data handled. Devinsky recommends that companies regularly review the adequacy of their security measures and conduct risk assessments.

Panelist Monica Awadalla, intellectual property counsel with GE Licensing & Trading, shared some of the critical steps in developing compliant security:

• Identify the information assets of a company
• Conduct periodic risk assessments that include an analysis of the likelihood of a breach, and what would happen if a breach occurred
• Establish a written security policy, including the response to risks and staff training on the need to protect data
• Monitor and test the policy to ensure effectiveness
• Continually review security to identify needed adjustments
• Classify collected data to determine individualized security methods

Panelists made further suggestions including designating a staff person to manage security compliance, using passwords and implementing other anti-hacker protections.

In addition to Diaz, Devinsky and Awadalla, panelists included Thomas H. Nagle of IDT Corp., Luis E. La Toree of Bristol-Myers Squibb and Ariane Siegel of Gowlings in Toronto.

“Saving Private Data – What You Don’t Know About Information Security Could Kill Your Client’s Business” was sponsored by the Section of Business Law Middle Market and Small Business and Cyberspace Law Committees.

Back to top

Back to home