Answer: YOUR COMPANY!
When your company has a data breach, these are the top 3 questions that you will be required to answer:
- How did the breach happen?
- What steps did your company take before the breach to protect the data and keep it from happening?
- What steps is your company taking after the breach to ensure this does not happen again?
These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. A great response to the second question is to show that your company had — both for itself and third parties with which it does business — adequate security policies, procedures, and systems and that they were audited. This is the focus of a blog post I co-authored with Scott Geye that was recently published on Whitley Penn’s In the Black blog.
Here is a brief excerpt:
If a company suffers a data breach that results in the compromise of PII, the company is then required to follow applicable breach notification rules and disclose the breach to, in most cases, certain governmental bodies, agencies, industry groups, and the consumers whose information was compromised. When this happens, the first thing many of those will ask is “how did the breach happen?” and the second thing they will ask is “what steps did the company take before the breach to protect the data and keep this from happening?”
When the company has been proactive and prepared for this, it can minimize the potential enforcement actions that will come against it, if it can show two things: First, that it had strong data security policies and procedures in place. Second, that its data security policies and procedures had been properly audited. The message that these two steps sends is that the company had taken its data security obligations seriously and that it was diligent in following up to ensure that it had done so. Something as simple as this can make a very big difference when others, such as those governmental bodies, agencies, industry groups, or even a jury, look back with the 20/20 vision of hindsight and decide if the company should be penalized because of the data breach.
* * *
The framework for reporting on internal controls for data privacy at service organizations has already been established. You may be familiar with Service Organization Control (“SOC”) reports. SOC reports include both SOC 1, which is intended for reporting on service organization controls over financial reporting, and SOC 2, which are intending for reporting on service organization controls to meet the Trust Services Principles Criteria. The Trust Services Principles Criteria has five defined principles, Security, Availability, Confidentiality, Processing Integrity, and Privacy. Currently, the demand for SOC 2 Privacy reports has been minimal, but the demand will likely increase as more organization seeks to gain assurance over their service organizations’ compliance with the growing number of data privacy regulations.
About the author
Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.