Business Cybersecurity & the Cloud: Six Practical Steps to Avoid or Reduce Legal Liability
The technology questions and options surrounding cybersecurity and data storage in “The Cloud” can overwhelm even the savviest of CEOs. The legal issues, however, are often overlooked. Various federal and state laws govern certain types of data storage in the cloud and dictate what your business is required to do if your website or cloud storage is breached and customer data is lost. Failure to comply with breach notification laws can result in statutory damages of hundreds of thousands if not millions of dollars.
For these reasons, it is well worth the time and minor front end cost to review these laws and your online practices with a qualified attorney, but the brief checklist below provides common sense tools to make your employees, your online business activities and your cyber data practices more secure.
At SilverMcKenna, we recommend you turn to independent cyber-security experts to develop a secure infrastructure for your data and online practices, but we also urge our business clients to take the following SIX PRACTICAL STEPS to protect business data in the cloud, to secure customers’ data and sensitive information, and to make sure employees and management are working together to do so effectively and efficiently while preserving employee and customer privacy.
1. Employee Manual
a. This is a MUST have.
b. The manual should explain, in plain English, your business’s computer and cellular policies and practices, the privacy rights of the employer and the employee for cellular and online activities conducted via work-provided digital equipment, such as cell phones, computers, laptops and iPads, and the requirements for securing and handling client confidential information.
c. If doing business in Maryland, make sure your employee manual does not run afoul of Maryland’s 2012 Social Media Password Legislation
2. Technology Acceptable Use Policies (AUPs)
Every business should draft AUPs that (1) state what is acceptable use of work-provided digital devices; (2) identify what employees are entitled to access what data; (3) identify those authorized/responsible to handle IT and data security; and (4) are reviewed and signed by every employee
3. Website banner notices/terms of agreement
Your website should have a notice about your privacy practices and, depending on the nature of data you collect and business conducted online, you should have a click/wrap style terms of agreement
4. Written Guidelines for data security, data breach and data breach notification for customers
Written guidelines are an opportunity for you to communicate fully with your employees and your customers and clients about how your business handles data, what you do to secure data, what you expect of your employees to do the same, and what you and your employees will do when a data breach of customer or client information is discovered.
a. Talk to your insurance agent: Does your Commercial General Liability (CGL) policy of insurance or other insuring agreements include coverage for business online activities?
b. Have you secured a policy of insurance to provide coverage in the event of a data breach involving sensitive customer data or trade mark protected/copyrighted materials?
6. Contracting with a Cybersecurity Provider
Understand what service you are receiving: Is this a data storage service, a data security service or both?; Who handles breach notification issues?; Who is liable for data breaches? Have a written contract that spells this out.
If you have any questions, please contact Anne T. McKenna at 443-909-7496.