‘It’s at the level of not if you are going to get a breach, but when you are going to get breached,” says data security lawyer Sharon Klein. “It’s better to protect yourself ahead of time.”
Klein, a lawyer for the corporate and securities practice group of Pepper Hamilton LLP, which has a Carnegie Center office, believes that companies should take measures to protect their sensitive data, but that the increasing sophistication of hackers means that if your data is valuable enough, someone is going to get it eventually.
Klein will speak at a breakfast forum on the fundamentals of data privacy and security for businesses hosted by the Mid-Jersey Chamber of Commerce. Fellow lawyers Angelo Stio III and Charles Leasure III will also give presentations. The event will take place Thursday, November 20, from 8 to 9:30 a.m. at Crowne Plaza Princeton. Tickets are $25 for members, $35 for nonmembers. For more information, visit www.midjerseychamber.org, or call 609-689-9960.
Klein grew up in Wilkes-Barre, Pennsylvania, where her mother was a homemaker and her father was a carpenter. Farther back in the family tree, her grandfather was a coal miner. Klein went to college at Syracuse and earned her law degree at Temple. She was in-house counsel for Siemens Medical, a company that handled medical information for hospitals and healthcare providers. She lives in Irvine, California, and works at a Pepper Hamilton office located there.
When Klein first started in the business, data security meant making sure employees disposed of documents properly, and didn’t leave laptops lying around where they could be stolen. These days, the biggest threats to sensitive information come from hackers with ties to organized crime.
The massive data breaches at Target and Home Depot, where hackers made off with almost 100 million credit card numbers, have put data security on the agenda at companies large and small. The hacks were disasters for Target and Home Depot as well as for customers, many of whom were subjected to identity theft. Both companies are facing lawsuits from customers.
Klein is more of a realist than a pessimist about data security. More secure chip-and-PIN credit cards, which use encrypted microchips instead of a magnetic strip combined with a customer personal identification number, could have prevented the thefts. The more secure cards are now in use in Europe and are being adopted in the United States. But with retailers and credit card companies still using outdated technology, and hackers breaching databases at large companies on a regular basis, every company should be prepared to deal with an incursion into its secure data.
“We’re at this very vulnerable point where technology is behind, the laws are behind, and we just need to admit the fact that we seem to be a target, from a data perspective,” she says.
No organization is too small to think about data security issues. Even if a particular company does not deal with very much data, they may, for example, rely on a third party to process payroll. That company may in turn be the target of a data breach, and suddenly hackers could have access to employees’ social security numbers, addresses, and other sensitive information.
“Small businesses should take a hard look at their partnerships with regard to outsourcing,” she says.
The perils for companies are legal as well as technological, as allowing client or customer data to be stolen could open a company to liability claims. Privacy and security laws give companies responsibility for protecting any sensitive data they collect, and failing to do so could also have consequences. Healthcare companies have further obligations to protect health records.
Klein says that no matter how large or small the company, someone in the organization needs to be accountable for either outsourcing and creating the contracts to protect data, or for doing the job internally.
Be ready. Klein recommends companies perform risk assessments to determine where the regulated data, which includes personally identifiable information, is stored. That way the company can respond better to protect the data in case of a breach. Every company should also have an interdisciplinary team of people to respond to a breach that should be activated within 24 hours. That includes security experts, human resources executives, and communications personnel, who should get together and figure out what happened.
“The most important thing is to stop the data loss. Stop the bleeding, so to speak. You also need to understand what kind of data was disclosed, and to whom, and if you don’t have that capability, contact a forensic organization.” In most cases, the company will then have to contact the people whose data was disclosed, and take steps to compensate them.
If all that sounds expensive — it is. That’s why Klein recommends having insurance that covers losses from a data breach. Most general liability insurance does not cover data, because it is an intangible asset. In most cases, companies will need to get a rider or a policy to deal with data risks. Klein will go over some of the options in her presentation.