With the recent passage and signing by Governor Newsom of Assembly Bill 1130 (“AB 1130”) which expands the definition of “personal information” to encompass all types of data that might be used to personally identify customers, patients or clients, now is a good time to revisit and update your company’s written policies and procedures with respect to data, data security, and breach notification. See text of AB 1130 here. An experienced San Diego corporate attorney can help. Here are some tips on what a data security policy might include:
- Use of proper and state-of-the-art cybersecurity software, hardware, and protocols
- Retaining the best available cybersecurity employees and/or consultants
- Training to employees handling data
- Limiting access
- Separating data
- Limiting accessible data to only currently-being-used data
- Customer-drafted employee and vendor contracts that mandate confidentiality and cybersecurity
- Insurance and indemnifications
- Physical backups in non-internet-accessible formats
If your company experiences a data breach, your company is required to notify customers and the California Attorney General’s Office. Data breaches are expensive. At the bare minimum, your company might be required to buy a couple of years’ worth of credit-score monitoring services for the affected customers. The individual cost might only be $50-60 over two years, but spread that over 1,000,000 customers or over 100,000,000 customers? That will cost your company a lot of money and that does not include remediation, attorney’s fees, investigation costs, fines, penalties, and more.
To minimize the risks and costs, state-of-the-art cybersecurity is important. Thus, your company policies may mandate that the software, hardware, and protocols be updated regularly. Minimum requirements may be encryption of data, activity logs, audit controls, access controls, and auto-log-off protocols. Likewise, your policy may mandate that your cybersecurity employees and contractors receive training and continuing education to ensure they are at the cutting edge. In a similar manner, all employees dealing with data may have training and annual training. These are the types of procedures and policies that a judge will consider when determining if there was negligence or gross negligence related to the data loss and exfiltration.
Your written company policy may also address the data itself. Higher security is needed for data that can be used to personally identify customers, clients, and patients. Further, online-accessible data is often at higher risk (but physically stored and segregated data should still be locked and otherwise protected). For these reasons, your cybersecurity protocols may be more rigorous for certain types of data. In addition, sensitive data should be separated from other types of data and all backup data should be securely stored offline. Furthermore, only actively-used data should be available online or over the company network. All not-being-used-now data should be segregated. Sometimes this can be accomplished by simply archiving (taking it offline) data that is, say, older than two years. Similarly, personnel access to the data should be segregated since some data breaches are the result of deliberate employee or vendor criminal behavior. Only those employees, vendors, and service providers that need the data should have access to it.
Finally, your company policy may mandate that data-using/accessing employees, vendors, and service providers must sign confidentiality agreements with the most up-to-date and robust cybersecurity requirements. Such agreements may also contain indemnity and hold harmless provisions. Again, in determining negligence or gross negligence, the existence of confidentiality agreements and the extent and consistency of their use will be factors considered by any judge or jury. Finally, insurance products should be obtained, where possible, to limit financial risks to the company.
Contact San Diego Corporate Law Today
For more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard has been named a “Rising Star” for four years running by SuperLawyers.com. Mr. Leonard provides a full panoply of legal services for businesses and proudly serves the San Diego business community. Like us on Facebook.