We’ve come a long way since “The Net”

With the headlines coming out seemingly daily about data breaches at companies, there’s a tendency to feel a bit overwhelmed with the problem.

And while a data breach regarding your employees is something that may not be as imminent as one involving credit cards, it still represents a major threat to your business.

This week, I have two presentations on the subject. But in case you can’t make it, here’s a sneak peek at four things you can do now before you have a data breach.

  • Establish and implement a written data breach response policy.  This policy will be more blueprint, than policy.  The best ones I’ve seen are in a spreadsheet format and identify a team of individuals who are already identified in case of a data breach, with roles and responsibilities clearly defined.  Notably too, you should also have outside IT consultants and a legal team identified as well.
  • Conduct a review of your systems and data, and understand where your confidential information resides.  You won’t know if you keep your data (particularly data regarding your employees) secure unless you figure out what you have and what protections are in place.
  • Conduct regular risk assessment for your company, your contractors & vendors and other business partners.  Don’t just stop at figuring out where your data resides, but understand where you data goes.  If data is sent outside the company, is it encrypted when it is sent? For example, how is employee benefit information transmitted?
  • Establish frequent privacy and security awareness trainings as part of an ongoing program.  Telling employees when they start about privacy policies isn’t good enough anymore. Regular training and followup is needed to ensure that your employees don’t provide an easy back door for your data to exit from.

If you’re interested in the subject, I would recommend attendance at one of the two programs I’ll be at.

On Wednesday, I’ll be at the National Retail Federation’s HR Executive Summit in Chicago speaking at “Protecting Your Digital Secret Sauce” at 10:15a along with representatives from Walgreens and McDonalds.  Moderated by Miller Canfield’s Adam Forman, the program description is as follows:

High profile credit card data breaches at several prominent retailers have recently made national headlines, impacting the retailers’ brand and shaking their customers’ confidence. Credit card data breaches, however, are only the tip of the iceberg. There are a whole host of related issues that are bubbling beneath the surface, many of which are within the direct control of your employees. This panel of industry experts will discuss these issues and identify practical steps to take should your organization data become compromised.

On Thursday, I’ll be at the joint program between Shipman & Goodwin and the Connecticut chapter of SHRM entitled “Raiders of the Data Ark: Data Privacy and Cybersecurity Summit.”  There are still a few spots open for registration. Attendance is strong for this program, please be sure to sign up today or tomorrow so we can lock in the space.

When we think about protecting customer and employee data, we often think that the biggest hazards are outside hackers.

But a recently publicized incident involving AT&T shows that the threats may also be from within. As The New York Times reported:

“[I]t serves as a cautionary tale about the types of information that employees at technology and communications companies can retrieve just by breaking the rules, no hacking required.”

What happened? According to the Times, “AT&T, the telecommunications provider, said on Monday that it had fired an employee who inappropriately gained access to customer information this year, possibly including Social Security and driver’s license numbers.”

While the breach was relatively small (1600 people affected), the company dealt with the breach by sending out letters to those affected and paying for credit monitoring services.

What else should you do in a breach? Well, next week, I’m heading up a major Data Privacy & Cybersecurity Summit where we will discuss exactly that topic — particularly as it applies to employee data. The summit is scheduled for October 16th in Cromwell.  Co-sponsored with the Connecticut chapter of SHRM, the program includes speakers from GE, ESPN and the Connecticut Attorney General’s office.  The cost is just $75 and includes breakfast, lunch and materials.  You can register here.

For more details, click here. 

 

Last month, I wrote about the Home Depot credit card data breach and the importance of protecting company data.  But the issue of protecting employee data is far from new.

Back in 2011, one legal publication had this to say about employee data:

Employers collect a substantial amount of personal information about their employees. Companies need to be aware of their obligations under the profusion of data protection laws and regulations that govern the collection, use and transfer of personal information. This is an especially daunting task for companies that have operations subject to the laws of multiple jurisdictions, as requirements vary widely from country to country and even from state to state. …

Companies use employees’ personal information for a variety of purposes—from evaluating applicants during the hiring process to administering payroll and employee benefit plans to managing separation and other post-employment benefits. And as more employers adopt enterprise-level information management systems and outsource certain human resources administration functions, increasing amounts of personal data is being transferred and shared within and between organizations. Maintaining compliance with applicable data privacy laws is a responsibility employers cannot afford to overlook.

I couldn’t say it better myself.  But don’t take my word for it. There are a whole host of experts coming to speak later this month at a Data Privacy and Cybersecurity Summit that I’ve been planning.  People from companies like ESPN, UTC and GE. And respected government officials from the Connecticut Attorney General’s office and the FBI.

The summit is co-sponsored by my law firm, Shipman & Goodwin LLP and the Connecticut chapter of SHRM.  It is scheduled for October 16th at the Crowne Plaza in Cromwell, CT. You can register for it here. Don’t miss out.

Real hackers are more fearsome than this one.

Okay, okay.  I realize the headline is a bit misleading.  But it isn’t every day that you hear about a data breach at Home Depot in which 56 MILLION credit cards may have been hacked. To put that into perspective, that’s 16 million MORE than the infamous Target breach!

But this is an employment law blog, not a shopping one. So, why does this matter to human resources professionals and companies? Because if hackers can access credit card information, they are going to try to hack into your work files.

It isn’t a matter of “if”. It’s a matter of when they will attempt to do so.

Don’t take my word for it. This comes from the head of the military’s cybersecurity division.  Admiral Mike Rogers has been preaching for months of the need for companies to take data privacy and cybersecurity seriously.  A recent news post reported on the importance Rogers has placed on this area for private businesses.

Corporations must successfully deal with cybersecurity threats, because such threats can have direct impacts on business and reputation, Rogers told the business audience.“You have to consider [cybersecurity threats] every bit as foundational as we do in our ability to maneuver forces as a military construct,” he said.

I have little doubt you’ll hear a lot more about this at an upcoming Data Privacy and Cybersecurity Summit that I’ve been helping to put together here at Shipman & Goodwin, in conduction with CT SHRM.

It’s scheduled to be held on October 16, 2014 from 8a to 2p at the Crowne Plaza in Cromwell, CT.

The cost is just $75, which includes continental breakfast, coffee, buffet lunch, and the materials.  Full details as well as registration can be found here.

Speakers include myself, Shipman & Goodwin attorneys Scott Cowperthwait, Cathy Intravia and William Roberts as well as industry experts from Adnet Technologies, the Connecticut Attorney General’s office, ESPN, the FBI, FINEX North America, General Electric Company, JPD Forensic Accounting, Quinnipiac University, United Therapeutics Corporation, and United Technologies Corporation (UTC).

Hope to see you there. Register soon as spots have been filling up over the last week.