As the fallout continues over the release of thousands of sensitive U.S. diplomatic cables by WikiLeaks, businesses should view this incident as a major data security wake-up call. While the federal government was the victim of this particular data breach, there is no doubt that it can happen to any business. No organization is immune.
The seriousness of a major compromise of sensitive corporate documents is not difficult to imagine. Bank of America’s stock dropped by 3 percent on the mere rumor that its internal documents had been disclosed to WikiLeaks.
If a data breach actually occurs, corporate embarrassment and public relations nightmares, loss of business, litigation and liability, investigations by regulators and government agencies, and significant expenses are just some of the headaches that the victimized business will have to handle.
The WikiLeaks incident teaches us two key lessons. First, every business, regardless of size, should ensure that it has implemented appropriate—and legally compliant—data security for all its information. Second, to supplement that security, the company should also develop an appropriate incident-response plan so that it is adequately prepared to respond to a security breach in the event that the worst occurs.
The requirements of numerous laws lead to the same conclusion. In fact, failure to anticipate and protect against the threat of such an extensive breach may itself lead to legal liability.
Almost all businesses are now subject to a legal obligation to provide security for their corporate information. Providing appropriate security for corporate data requires developing and implementing what many state and federal laws refer to as a comprehensive written information security program.
A Fact-Specific, Risk-Based Process
The concept of a comprehensive security program is based on the view that data security is relative and providing “reasonable security” requires a fact-specific, risk-based process. Any program should consider not only the company’s current business realities, but also future technological, regulatory and business-related changes.
Thus, various laws require that companies undertake a detailed risk assessment to identify and evaluate the threats they face. The goal is to understand the threats, the likelihood that such threats would materialize and the damage they could cause.
Armed with this information, the business must then select and implement appropriate administrative, technical and physical security measures designed to address that risk. Once implemented, such security measures must be tested to ensure that they work properly, and they also must be periodically re-evaluated to take into account changes that occur over time.
The Federal Trade Commission (FTC) and some state attorneys general have been particularly active in bringing enforcement actions against businesses that fail to provide appropriate data security. In some cases, these officials have even acted in the absence of an actual security breach.
As illustrated by the WikiLeaks case, various company stakeholders (shareholders, employees, customers, investors, business partners, vendors, etc.) may be affected by a security breach. In fact, because of the risk of harm to company stakeholders, the FTC now views a lack of adequate data security as an unfair business practice that violates federal law.
Given that no level of security is perfect, it is essential for every business to develop an incident-response plan so that it is prepared in advance to deal with the consequences of security breaches that will inevitably occur. Such a plan should ensure that appropriate individuals in the organization are promptly notified of any security breach, and that a suitable incident-response team is assembled to respond.
The plan should include procedures for evaluating, investigating and containing security incidents. This involves protocols for working with law enforcement, forensics investigators and other experts, as well as for communicating with government agencies, the press and the stakeholders who may be affected by any specific security breach.
It’s evident that having a comprehensive written information security program to defend against data breaches, along with an incident-response plan to deal effectively with breaches that do occur, is critical to all companies operating in today’s digital business environment.
Thomas J. Smedinghoff is a partner in the privacy and data security law practice at the firm of Wildman Harrold in Chicago. He is co-chair of the Federated Identity Management Legal Task Force of the American Bar Association and author of Information Security Law: The Emerging Standard for Corporate Compliance (IT Governance Publishing, 2008).
