By Thomas Ritter
Here are two words that should scare any business: business interruption.
The thought of losing control of your business for a day or a week is enough to keep any executive awake at night.
Business interruption is almost a guarantee when a company experiences a data breach or other cybersecurity problem. Every interruption comes with significant mitigation costs, including hiring experts to alleviate problems, lost productivity, the threat of lawsuits and much more.
Helping businesses, especially smaller businesses, manage their cybersecurity risks is why I have started a dedicated cybersecurity practice at Thompson Burton.
The practice includes three primary services:
- Understanding the confusing patchwork of regulatory requirements
- Drafting and reviewing security policies
- Providing legal counsel when a problem occurs
The first two services fall under what I would call “preventative medicine.” For any business in possession of sensitive customer information and data, preparation is instrumental to prevention. The last service is the triage, or crisis response, for when a cybersecurity problem occurs.
The two biggest issues in cybersecurity are data protection and privacy.
There is no single legal framework for businesses to follow. Rather, businesses must comply with a complex and often overlapping set of cybersecurity-related laws and regulations. Whether it’s HIPAA for healthcare companies, GLBA for financial institutions, the FTC Act, or some other law, there is a lot to wrap your head around.
For example, most companies affected by a data breach assume that the applicable state law arises out of the location of its headquarters. Instead, the more important question is: Where are the company’s affected consumers located? If a company’s breached, the company must follow the notification laws of every state where an affected individual resides.
At Thompson Burton, we make this confusing and arduous process of understanding and sorting through the applicable laws and regulations easier.
Once you understand the regulatory requirements, it’s important for a business to have a security policy in place. This security policy memorializes the business’ modus operandi of information security procedures and the plan for any incident response.
As an attorney, I’m always assessing potential liability. In any context, a business saying it will do something and then failing to adhere to its own standards can implicate significant liability if caught. Security policies are no exception.
Legal Counsel When a Problem Occurs
The challenges with cybersecurity will only increase. It’s impossible to watch or read the news without some daily reference to a data breach or hack. For companies, it’s not a matter of if a cybersecurity breach will happen, but when.
Oftentimes, the biggest misconception by businesses is the “I’m too small to be a target” mindset. This is categorically false for several reasons. Most hackers don’t coordinate an attack based upon a specific target, but instead check to see which businesses’ doors remain unlocked. Of arguably greater concern, the actions of employees oftentimes allow a hacker to stroll right through the proverbial front door. Thompson Burton can help small businesses identify weaknesses and train employees to practice good “cyber hygiene.” (I will publish a blog post about this topic soon.)
The biggest benefit of having an attorney on-call who understands your business is the preservation of privilege in the event of a data-breach investigation. Through things like attorney-client privilege and work-product doctrine, an attorney can help coordinate and protect a company’s remedial efforts from potential discovery.
About The Author
Thomas Ritter is an associate attorney at Thompson Burton PLLC. He assists a variety of businesses, from well-established to new start-ups, on meeting regulatory compliance. Follow him on Twitter at twitter.com/cybersecureatty for the best practices and legal updates on relevant privacy and data protection topics.