In this episode:
- Issues facing businesses – Ransomware, employee negligence, malicious employee revenge, business email compromise. What constitutes a “breach,” as well as Utah’s Protection of Personal Information Act.
- Creating an Information Security Plan – Being proactive about assessing your company’s assets, risks and management. Creating policies to address them.
- Breach response – What does an Incident Response Plan look like, how is it implemented, who do you call first, what do you have to think about when there has been a breach?
A cybersecurity incident can do significant damage to your business, costing you customers and damaging your reputation. But there are also significant legal concerns to keep in mind as you put your cybersecurity protections in place. This week, we talk with Elaina Maragakis, a cybersecurity law expert at Ray, Quinney & Nebeker who helps us understand what you can do today to be ready to respond to a cyber incident and how to stay on the right side of the law.
“Often times people don’t think they have a lot of information that would be attractive to hackers, or don’t have any information that might be useful to someone who has malicious intent,” says Maragakis. “If you really start to dig in you realize that pretty much every entity has some kind of information that would be attractive to a thief.”
That makes sense when you consider that a data breach is really any sort of unauthorized disclosure of data or information. Maragakis says that can range from a receptionist in a doctor’s office leaving a medical record on the counter where other patients can see it, to a laptop with your work information being stolen from your car, to working on a laptop on a plane when another passenger can see your screen. More likely, a data breach could come when an employee leaves an organization but takes sensitive data with them to use at a later time.
“A breach can be one record,” says Maragakis, citing a case in California that was just one medical record that was compromised. “You sometimes think it isn’t really that big of a deal, but if there is any unauthorized disclosure there is a breach and you need to address it.”
Maragakis says one of the first things a business needs to do is determine who within the organization needs to know each type of information. Under most laws, some sort of notification is required when a breach occurs.
“This is where it gets very tricky and where legal counsel can be absolutely critical,” says Maragakis, noting that the jurisdiction is based on the state of residence of the person affected by the breach. “You are going to potentially have to navigate the state laws of 47 states plus whatever additional regulations you are subject to. Or internationally, and that’s a completely different ballgame.”
As you can see, breach situations and the legal ramifications can get pretty complex in a hurry. Is your organization prepared? Listen to the full conversation with Maragakis for more information.