Data is the lifeblood of most businesses. Customer data, employee data, financial data, medical data, confidential business information, intellectual property—all organizations must protect critical data from theft, loss, or corruption. The pandemic has forced many businesses to increase their electronic engagement with employees, customers, and suppliers, creating greater swaths of electronic data that must be protected.
And, cyberthreats are more prevalent than ever. In its recent 2020 Annual Crime Report, the Federal Bureau of Investigation (FBI) reported that, as “fraudsters took the opportunity to exploit the pandemic to target both business and individuals,” it received an increase of more than 300,000 reported cybercrime complaints in 2020 and losses exceeding $4.2 billion.
In Idaho, the Idaho Attorney General’s Office similarly reports that, since the beginning of the pandemic, phishing email scams are up 667%, 90% of the thousands of new Coronavirus-related web domains are scams, and ransomware attacks have increased 72%.
Business obligations to protect data, however, remain unchanged. Against increasing security threats, companies still must protect their own data and any collected consumer private information from internal and external threats of misuse and dissemination.
What is the law?
There is no single national law that creates a practical, one-size-fits-all checklist. Instead, businesses need to follow laws that create a clear standard of technical requirements for notice, use, opt-outs, and breach response, and laws that create a more opaque standard requiring businesses to refrain from unfair or deceptive practices.
- Laws prohibiting unfair and deceptive trade practices. State consumer protection statutes, including the Idaho Consumer Protection Act and the federal Trade Commission Act, prohibit “unfair or deceptive practices.” Companies risk violating these laws by not complying with their data protection policies.
- State laws regarding data breaches: Many states also have specific statutes detailing how a company must respond to a data breach incident. In Idaho, for example, any company that “conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho” must, upon becoming aware of a security breach, (1) provide notice to the office of the Idaho attorney general within twenty-four hours, and (2) conduct a “reasonable and prompt investigation” to determine the likelihood that personal information has been or will be misused. See Idaho Code § 28-51-105(1).
- International laws: The General Data Protection Regulation 2016/679 (GDPR) requires companies receiving data of European Union residents to comply with broad privacy rights afforded in the European Union. Recent uncertainty about the ability of U.S. companies to comply with the GDPR has caused some companies to stop collecting data from EU residents altogether.
How to develop a data security protocol
To develop a data security protocol, companies should begin by evaluating several factors:
- Physical security measures. Identify and secure the physical locations of your data, including computer servers, remote devices, and data storage units. This can be as simple as requiring both in-house and remote workers to keep their computers in locked offices or otherwise physically secured, implementing access-limitation protocols, and imposing authentication requirements.
- Types of data. Identify the categories of data you receive and maintain, including personally identifiable information you collect from customers and other members of the public; trade secrets or other confidential business information; and personal information about employees.
- Use of data. For each data category, determine how you collect it, who has access to it, whether it is manipulated, whether you provide it to third parties, where you store it, and how long you store it.
- Third parties. Identify how you share information with third parties, including IT management, payroll processing, and human resources vendors, and for what purposes. Require third parties to agree to appropriate security measures for protecting and using data. Be aware that if a third-party data processor experiences a data breach, you may be responsible for complying with the notification and breach response requirements of your jurisdiction.
- Technical security measures. Ensure you are utilizing appropriate technical security measures, such as encryption, tokenization, password-protection, two-step authentication, or biometric access, at each point of data transfer and storage.
- Data breach protocols. Develop a meaningful and practical data breach protocol that complies with the law of your jurisdiction and that enables you to act quickly in the event of a data breach.
- Data retention. Create data retention protocols that ensure you are complying with data retention policies and laws but not retaining private or confidential data longer than required.
Other measures to consider include designating a security officer, conducting a risk assessment, implementing security protocols, continually monitoring your data security program, and creating privacy notices.
Cybersecurity strategies help businesses meet primary pandemic business concerns: maintaining revenue, strengthening customer relationships, preserving employee structures, and staying afloat. A strategic investment in cybersecurity is manageable and worth it.
Dempsey Foster is a socially conscious, women-owned business and litigation firm specializing in growth companies, nonprofits, and female entrepreneurs. We serve our clients through empathy, advanced strategy, and proven courtroom mettle. We are devoted to helping our community by serving on high-impact nonprofit boards, supporting legal access organizations, and providing pro bono representation to underserved members of our state.
Alyson Foster is a founding member of Dempsey Foster. A veteran litigator, Alyson helps her clients navigate business relationships through negotiating contracts, resolving matters in mediation, and litigating in arbitration and court. She lives in Boise with her park ranger husband and rescue dogs.
Jennifer Schrack Dempsey is a founding member of Dempsey Foster. Jennifer has served as business and litigation counsel to individual clients, small and medium businesses, and major corporations with equal passion and attention to detail. She lives in Boise with her husband and two teenagers. In a former life, she played NCAA Division I volleyball.