Does Your Company or Law Firm Have a Plan on How to Respond to Data Breaches?

Popular retail giant, Home Depot, Inc. (“Home Depot”), fell victim to the latest round of cybersecurity attacks with experts fearing that more than 40 million payment cards might have been compromised. If confirmed, this number would make Home Depot’s breach more disastrous than the attack that befell Target Corporation last year. The breach came to public light on September 2, 2014 and by September 4th, a class action lawsuit had already been filed in the United States District Court for the Northern District of Georgia. In the lawsuit, the complainants allege that Home Depot failed to protect their payment and personal information in addition to timely warning them that such information had been compromised.

As more and more high-profile companies fall prey to cybersecurity attacks, you should ask yourself, “does my company/firm have a response plan to data breaches?”

Because training and knowledge of the response plan is an integral part of being able to guard against and adequately respond to data breaches, and as technology continues to evolve, a company or law firm’s response plan should as well.

An effective response plan includes, among other things, the following: A designated member tasked with responding to the breach (should be a senior staff member or part of management); A comprehensive training plan given to each employee upon hiring on how the company/law firm plans to respond to the breach and the policies that govern access to the network/sensitive data; A “kill switch” for any misplaced, compromised, or lost devices that have access to your network; An effective way to respond immediately once the breach occurs; A designated member tasked with notifying the public and/or governmental entities if disclosure is required; and Continual updating of the response plan as technology advances.

While two senators have already called for an investigation into whether Home Depot’s conduct has violated the standards of the Federal Trade Commission (“FTC”), it is important to remember that the FTC judges a company or law firm’s security procedures in accordance to what is “reasonable” or “appropriate” in light of the circumstances. In other words, the FTC understands that a breach does not necessarily mean that a company or law firm has failed to implement reasonable security measures.

While what is “reasonable” or “appropriate” has not been specifically defined, the FTC generally takes into account the company or law firm’s size, nature of activities, and what information is being collected/has been compromised during their investigation.

As such, while the FTC recognizes that no security plan is perfect, the complete absence of one may not be looked kindly upon by the FTC.

Sources: http://www.reuters.com/article/2014/09/10/us-home-depot-dataprotection-breach-prob-idUSKBN0H41SQ20140910 http://www.marketwatch.com/story/class-action-suit-filed-against-home-depot-for-consumer-data-security-breach-2014-09-04

For more information on this topic, please visit our online privacy service page.

Klemchuk LLP is an Intellectual Property (IP), Technology, Internet, and Business law firm located in Dallas, TX.  The firm offers comprehensive legal services including litigation and enforcement of all forms of IP as well as registration and licensing of patents, trademarks, trade dress, and copyrights.  The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, data privacy, and domain name dispute resolution.  Additional information about the IP law firm and its IP law attorneys may be found at www.klemchuk.com.

Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.