On August 13 2015, Bridget Anne Kelly, an aide to Gov. Chris Christie, wrote an eight-word e-mail that could one day send her to jail: “Time for some traffic problems in Fort Lee.” That e-mail came back to haunt her during the “Bridgegate” trial, when a jury found her guilty in a conspiracy to cause a politically motivated traffic jam.
Jason Isom, a lawyer for Ogletree Deakins in Morristown, says this fateful message is a reminder that some things just shouldn’t ever be sent over the Internet. “They shouldn’t have done what they did in the first place, but let’s say you’re discussing a sensitive merger or new technology. It’s better to pick up the phone or send a letter or just avoid electronic communications altogether,” he says. “If you’re exchanging sensitive information or discussing sensitive topics, you shouldn’t do it over e-mail.”
Isom, who specializes in employer-employee lawsuits, rarely sees a case where one side doesn’t request the other turn over a record of all electronic communications. And an even greater threat to personal information is posed by hackers. Data breaches can disrupt business on their own, and they can also spawn lawsuits against a company by customers who have their identities stolen.
Isom is one of several experts who will offer advice for companies on how to both avoid and respond to data breaches at an upcoming event sponsored by the New Jersey Business & Industry Association. The “Non-Techies Guide to Cybersecurity” will take place Friday, December 2, from 8:30 a.m. to 1 p.m. at the NJHA Conference and Event Center at 760 Alexander Road. Tickets are $89. For more information, call 609-393-7707, e-mail email@example.com, or visit www.njbia.org.
Isom says the most important thing a company can do to prevent data breaches, and also prevent the lawsuits that sometimes follow, is to establish good policies for anything to do with technology — everything from who is allowed to post on the company Twitter feed to who can access private customer information. “Let’s say you store medical records at your office,” Isom says. “You should have a policy in your office that says who can have access to those records and when.”
Small companies that have an outside firm handling their IT needs should ask the firm to provide technology policies, Isom says. Not only can good procedures help prevent data breaches, but if there is one anyway, the company’s line of defense against lawsuits will often be to say that the breach was unavoidable despite its best efforts.
Not having policies can undermine that defense. Another sure way to lose a lawsuit after a data breach is to hide it from your customers, as Yahoo did after a hack exposed the personal data of 300 million users. “They got in trouble for not notifying customers of the breach and keeping it a secret,” he says.
In fact, keeping a data breach a secret is against the law in New Jersey. The Identity Theft Protection Act requires companies to report all breaches in a timely manner. “A lot of companies that get breached, especially smaller businesses, don’t notify their customers, for obvious reasons,” Isom says. Notifying customers of a data breach can cause the loss of some customers.
Heartland Payment Systems, the national payment processing company headquartered on Nassau Street, showed how damaging a data breach can be, and how to recover from one, in 2008 when hackers stole the information for 100 million bank cards. The company responded by disclosing the data to its customers, and even provided details about the hack to its competitors so they could avoid a similar attack. The company then created an end-to-end encryption system to make it harder to steal information. In the end, the company only lost about 2 percent of its customer base, and was able to fully recover. (U.S. 1, December 31, 2014.)
Isom says that lawsuits from data breaches have not seen much of an uptick despite a number of well-publicized hacks that exposed the information of millions of customers at Target, Home Depot, and other retailers. However, the reputational damage can be significant, and that cleaning up the mess from a data breach can be extremely expensive.
On average, a breach costs a company $217 per customer whose information is stolen.
Isom says that if a state-sponsored hacker comes after your company, it will be impossible to stop. But the good news is that according to one recent study, about 90 percent of data breaches were preventable. Policies like not clicking on links in e-mails, not responding to e-mails if you don’t know the sender, and other common-sense cyber security measures can prevent most data breaches.
Isom grew up as a self-described “army brat” with a mother and father who were both service members. He got his start in computer technology when he was an undergraduate student at Rutgers, when he dabbled in computer science before switching to history and political science classes that led him to a law career. He earned his law degree at Harvard, where he was the editor of the Journal of Law and Technology, which published many articles about cyber law and cyber security issues.
He says that the two biggest mistakes companies make when it comes to cyber security are not having effective policies and not training employees in those policies. Every company should have technology and Internet use policies, and penalties for employees who break those policies, he says.
“Even if you re a small company, you could be dealing with sensitive data,” he says.