January 8, 2014
During the recent holidays, the retailer Target suffered a major information security breach resulting in unauthorized access to personal financial information associated with millions of Target’s customers. The breach caused significant harm to the individual customers involved, to Target’s financial condition, and to the company’s public reputation. Target’s experience provides several important lessons for all other businesses with respect to information security and privacy.
Assume that Security Breaches are Inevitable and Act Accordingly
All too often organizations assume that information security breaches are extremely rare occurrences. Target’s major security breach is just one of many such breaches that have taken place in recent years. This history strongly suggests that information security breaches are not rare incidents. Instead, they are increasingly common events, encountered by a growing array of businesses and other organization.
All businesses should avoid the assumption that they are unlikely to be affected by information security breaches. Instead, every business should assume that it or one of its business partners will suffer an information security breach at some point. Many of those breaches will be far less substantial than that encountered by Target, but all such breaches are important to the parties involved.
Each organization should consider use of protective measures such as insurance as part of its information security planning. As security breaches become increasingly common and severe, insurance can be an effective element of an overall information security strategy.
Implement and Update Information Security Policies and Procedures
All organizations should implement information security policies and procedures. Those policies and procedures should be integrated effectively with the other key policies and practices of the organization, including employment agreements and manuals, computer and communications equipment use policies, and agreements with contractors and consultants.
All information security policies and procedures should be reviewed on a regular basis. Based on those reviews, the policies and procedures should be modified from time to time in order to accommodate effectively changing circumstances.
Adopt Plans for Actions in Response to Security Breaches
Organizations should adopt plans defining the key actions to be taken by the organization in the event of an information security breach. These plans should be comprehensive and identify the individual in the organization who will have the authority to lead the organization’s response to the breach. The plans should also define the process through which key parties will be notified of the breach.
Organizations should periodically practice execution of security breach response action plans. It is not sufficient merely to have such a plan in place. In order to maximize the chances of effective execution of the plan in the crisis setting associated with an actual security breach, it is essential that organizations practice implementation of the plan in advance of such emergencies.
The experiences of Target and the other companies that have encountered major information security breaches in recent years provide important lessons for all organizations, large and small. Information is now an extremely valuable commercial asset. As such, it merits significant investment and planning to ensure its security.
Information security breaches are now seemingly common business risks. All organizations should assume that they will, at some point, be affected by an information security breach. They should do their best to be prepared to respond to all such breaches promptly and effectively. Their financial security and commercial reputation may well depend on the effectiveness of that response.
For more on data security, view Tips for Protecting Your Organization’s Data
in the September issue of Corporate Counsel Connect.