Data security involves the practice of protecting computers, mobile devices, databases, and websites from unauthorized access or corruption. Data security is also sometimes referred to as computer security or information security.

Keeping Data Safe

Every kind of data needs protecting, whether it is personal data or business data. Data can include personal identifying information, usernames and passwords, PINs or security codes, credit card information, account or bank information, files, intellectual property, customer lists, financials, analytics, top secret information, and so much more. Data is basically any information that someone else might want for any reason.

When data security systems are breached, they are unlawfully accessed by someone who does not have the authority to have access to the data contained in the system. With so many systems connected to the internet, security breaches happen quite frequently and they are a real problem.

What Can You Do to Protect Your Data?

It is important to remember that not all data is worth protecting equally. Some data is relatively low-risk, while other data can have immense value to attackers. For data that has value, it is important to take steps to protect it. Some of the most common safety precautions include:

• Locking down your computer system when it is not in use.
• Encrypting your data, which scrambles it so that it is not readable by anyone who gets hold of it without authorization.
• Using strong user authentication protocols, such as two-part or multiple-part authentication.
• Using complicated passwords that are virtually impossible to guess, i.e., a long password that includes upper and lower case letters, numbers, symbols, and spaces.
• Use different usernames and passwords for different systems, i.e., do not recycle usernames or passwords across multiple systems or platforms.

Taking precautions to help protect data can mean the difference between stolen or hacked data and secured data. Taking safety precautions like those discussed above make unauthorized access of the secured data substantially more difficult to achieve. Safeguard precautions can help you secure your data, but they are not a guarantee that the data will be completely protected.

How to Respond to a Data Security Breach

If you learn that your computer system or business data has been breached, it is important to determine the extent of the breach as soon as possible. If your data has been breached, you need to know:

• What happened.
• How your system was breached.
• If any of your data was accessed.
• Whether you have a legal obligation to notify anyone, such as your customers or clients, of the data security breach.

Data Security as a Legal Obligation, Not Just a Best Practice

Data security is not optional for businesses that handle consumer personal information. Federal regulators, state attorneys general, and courts have established a body of law that imposes affirmative security obligations on businesses that collect, store, or transmit personal data. Failure to maintain reasonable data security can expose a business to regulatory enforcement, civil litigation, and personal liability for executives in some circumstances.

The FTC’s Data Security Program

The Federal Trade Commission uses its authority under Section 5 of the FTC Act, 15 U.S.C. § 45, to pursue enforcement actions against companies that fail to implement reasonable data security. The FTC’s enforcement program does not prescribe specific technical controls — instead, it evaluates whether a company’s overall security program was reasonable given the nature and sensitivity of the data held, the company’s size, and the cost and availability of safeguards that could have reduced risk.

The FTC has published guidance on what it considers reasonable data security based on its enforcement experience: start with security, control access to data, require strong authentication, store sensitive information only as long as needed, segment networks and monitor who is trying to access what information, protect stored data by limiting access and requiring authentication, encrypt data transmitted over the internet, ensure service providers implement reasonable security, and put procedures in place to keep security current and respond to security vulnerabilities.

State-Level Affirmative Security Obligations

Beyond notification obligations, many states have enacted statutes that impose affirmative requirements to maintain reasonable security for personal information. These statutes apply even if no breach has occurred — they establish a baseline security standard that businesses must meet as an ongoing matter.

Massachusetts was among the first states to impose specific technical security standards through regulation. 201 CMR 17.00 requires businesses that own or license personal information of Massachusetts residents to implement a comprehensive written information security program (WISP) that includes specific administrative, technical, and physical safeguards. The technical safeguards required include encryption of transmitted records and files containing personal information, use of up-to-date firewall protection and operating system security patches, use of up-to-date anti-virus software, and authentication controls for systems that contain personal information.

New York’s SHIELD Act, N.Y. Gen. Bus. Law § 899-bb, requires any person or business that owns or licenses computerized data containing private information of New York residents to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The SHIELD Act specifies reasonable administrative safeguards (designating a security coordinator, identifying reasonably foreseeable internal and external risks), reasonable technical safeguards (assessing risks in network and software design, assessing risks in information processing, transmission, and storage, detecting, preventing, and responding to attacks or system failures), and reasonable physical safeguards (assessing risks of information storage and disposal).

Encryption: The Most Legally Significant Technical Control

Encryption is the single most legally significant technical control because most state data breach notification laws provide a “safe harbor” exemption for encrypted data. If personal information was encrypted at the time of unauthorized access, many state statutes do not require notification — because encrypted data is presumed to be inaccessible to the unauthorized accessor without the encryption key.

This encryption safe harbor is not absolute. Some states require that the encryption be adequate and that the encryption key was not also acquired in the breach. And federal HIPAA requirements take a more nuanced approach, requiring a risk analysis to determine whether the breach of encrypted data could still result in an impermissible disclosure even in encrypted form. But for most state notification statutes, properly implemented encryption at rest and in transit substantially reduces both the likelihood of a breach resulting in actual harm and the legal obligations that arise if unauthorized access does occur.

The Written Information Security Program

Every business that holds personal data should maintain a Written Information Security Program (WISP). A WISP is a documented, structured security program that describes the administrative, technical, and physical safeguards the business has implemented to protect personal information. Massachusetts requires a WISP by regulation for any business handling Massachusetts residents’ personal information. Many other states treat the existence of a documented security program as evidence of the reasonable security practices required under their affirmative security statutes.

A WISP should address: the categories of personal data the business holds and their sensitivity, access controls and authentication requirements, encryption policies, employee training requirements, incident response procedures, and vendor management requirements. The WISP should be reviewed at least annually and updated to reflect changes in the business’s data environment, the regulatory landscape, and the threat environment.

Contact a Data Breach Attorney

Revision Legal understands the dynamic nature of data security and data breach issues. Revision Legal has worked with a number of business clients of all sizes to assess data security risks, develop written information security programs, and, when necessary, provide counsel on how to handle breach notifications in all 50 states. If you have concerns about a data security breach, contact the experienced data breach attorneys at Revision Legal. The legal team from Revision Legal can help you today. Contact us using the form on this page or call us at 855-473-8474.