“How do we begin to covet? We begin by coveting what we see every day.”
― Dr. Hannibal Lechter in The Silence of the Lambs
Are you worried about your company’s, employee’s and/or customer’s data being hacked by sophisticated criminals or cyber activists from China, Russia, North Korea, or other far off lands? Does the idea of losing your business’s hard-earned credibility and trust with the stroke of a key or two keep you up at night? You are not alone. An enterprising TV network could get high ratings with a late, late show catering to the business owners, senior management, and general counsel who are restless with thoughts of the class action lawsuits that are hitting Target, Home Depot, Sony, Anthem and others. But, while you have to be ever vigilant to protect your business from the type of all-out-assault that is grabbing headlines, you can’t afford to overlook the threat lurking in the next office.
Did you know a recent study found the most likely threat to information security is not the overseas hackavist, virus or worm, but rather the malicious or careless corporate insider? That’s right, employees caused more data breaches that any other source, 39% of reported breaches according to recent research. Note, I said “reported” breaches, which does not include the breaches employers do not discover or the ones they do not report. All this means it is a matter of when your data will be compromised, not if. Worse yet, when the breach is caused by a defecting employee, the information stolen can be the most crucial to your business’s success and the most harmful to its reputation.
On the one hand, employers who are the victim of malicious data breaches by employees or other insiders have a web of state and federal protections (and, hopefully, contractual rights) to help make them whole, but, on the other hand, the reality of the “unknown unknowns” and costs of recovery virtually assures that winning a lawsuit still means losing, at least, a little. If your employee steals important data to establish a new business, you may well have the legal means to put a stop to it, but you may not be able to recover the customers you lost (or the revenue from the future customers those customers would have sent your way) or succeed in collecting a monetary judgment from a former employee who invested all of his assets into his start up that is sputtering under the weight of litigation.
Breathe deeply. This blog post isn’t a horror show or an existential meditation on futility. Rather, there are key practical steps businesses should take to guard against this growing threat from within, which include:
- Binding employees to contracts that tightly limit access to and use of key information and provide for strong remedies in the event of breach;
- Storing only the electronic data needed to run your business and securely archiving data that is not needed on a routine business or that is merely held for contingencies (hackers can’t take what they can’t access);
- Tightly limiting employee access to data on a need-to-know basis so that the entire organization does not have access to it (does your east coast sales manager really need access to the west coast’s prospect list?);
- Using the latest cyber tools to protect from infiltration and detect potential hacks;
- Enforcing security protocols and controls, including requiring regular updating of passwords;
- Locking in protections and allocating the risk with agreements with vendors who are given access to data;
- Establishing appropriate insurance coverage;
- Developing a data breach plan to designate a crisis response team and identify a process for addressing the breach in hours, not days; and
- Working with counsel to understand the scope of your liability and how to mitigate it in anticipation of a possible breach.
In sum, the ways in which the information age allows data collection and access that drives efficiency in business are the same ways it creates vulnerabilities. Employers cannot afford to overlook the likelihood of a data breach from within. By anticipating it and planning for it, employers can mitigate their damages.
Questions? Let me know.