Recent media attention, including ubiquitous coverage of the Target Corp. security breach over the holidays, has highlighted the increase in security intrusions affecting organizations across industries. As technology moves forward exponentially, security threats and leaks continue to emerge.
“In the digital age, nearly every company holds personally identifiable information of its employees or customers in digital form,” says Christina D. Frangiosa, an attorney at Semanoff Ormsby Greenberg & Torchia, LLC. “It’s imperative that this information is protected from unauthorized disclosure and that companies have a plan to address any breaches.”
Smart Business spoke with Frangiosa about data protection, the role of state laws when it comes to breaches and the importance of assembling a strong data breach response plan.
How should a business go about protecting the data it collects?
First, it’s important to understand what kind of data are collected and what are stored. For instance, some companies collect credit card numbers in order to process transactions, but don’t keep them.
Once a company understands what it stores, it’s important to understand where the data are kept and who has access to them. Companies should limit access to relevant personnel and ensure that security protocols are up to date. If vendors or third parties will have access to these data, it is important to understand their policies so the company’s privacy policies can accurately reflect them.
Customers need to know what the company is going to do with their personal information before they entrust it. It’s essential that a company abide by the privacy policies it announces.
How should a business proceed if it experiences a data breach?
The first question to ask is, ‘What has been accessed and how many people have been exposed?’ Then it’s important to act quickly. Hopefully, the company already has a plan in place for locking down the data to prevent further breaches, for investigating the source and nature of the breach, and for notifying affected individuals. State laws will govern when and how affected individuals need to be notified.
What role do state laws play in notifying affected individuals?
Forty-six out of the fifty states have implemented data breach notification laws. Companies should consider such laws in each state where their customers reside or where they do business. These laws provide the timeline for reaching out to individuals affected by a data breach and, potentially, notifying credit agencies. The notification may need to happen very quickly after the breach occurs. Some data breach notification statutes provide exceptions to the notification requirement. However, companies should plan ahead so they know what their obligations are and are able to meet them promptly.
What type of personnel should be included in a data breach response team?
A data breach response team should include not only internal personnel — like IT, HR, legal counsel, facilities management, and upper management — but also external resources, such as forensic investigators, law enforcement, notification firms and consumer fraud protection agencies. It’s also important to enlist publicity/marketing personnel to help craft public communications about certain breaches. A security breach can have a negative impact on a company’s reputation. For instance, Target reported that its profits plunged 46 percent in the fourth quarter of 2013, largely due to revelations of customer data theft. Preventing further loss will be important.
Why is it so important for companies to be proactive about data security?
If a breach occurs, there will only be a short window of time in which the company has to act. Companies that have prepared in advance and developed a response plan will be in a better position to protect themselves, their customers and their employees. It’s important to reach out to potential resolution partners before there is an issue so that the company can complete its own assessment of available services and costs without needing to make immediate decisions in response to a ticking clock. ●
Christina D. Frangiosa is an attorney at Semanoff Ormsby Greenberg & Torchia, LLC. Reach her at (267) 620-1902 or firstname.lastname@example.org.
Insights Legal Affairs is brought to you by Semanoff Ormsby Greenberg & Torchia, LLC
Anything published online lasts forever, so it is important to set the right tone for your company’s online communications and to mean what you say from the outset. You might try to retract or amend these public statements, but it is relatively easy to find prior versions, thus causing embarrassing or false statements to not truly disappear, says Christina D. Frangiosa, an attorney at Semanoff Ormsby Greenberg & Torchia, LLC.
“It’s safer to wait to publish materials to the Web until you have confirmed they are accurate, not misleading and not based on someone else’s intellectual property rights,” she says. “False statements about either your company’s products or about a competitor or its products could lead to lawsuits claiming false advertising, unfair competition or commercial disparagement. Misuse of the company’s or a competitor’s intellectual property can result in a loss of rights, or even, perhaps, an injunction or damages.”
Smart Business spoke with Frangiosa about avoiding legal mistakes on the Internet.
How should you handle statements about your competitors and their products?
Avoid knowingly making false statements about a competitor or the quality of its products. Publishing statements about them without appropriate due diligence could result in negative publicity for your company, corrective advertising costs or monetary damages.
How does cutting and pasting content from other websites create copyright concerns?
Many users have a common misconception: If they can find ‘free’ content on the Internet, then they must be able to use that content for any purpose. Just because content may be freely accessible does not mean that you have a right to use it. Copyright holders have exclusive rights, including the ability to choose to publish or not to publish their works; posting something on a public website constitutes publication. Copying and pasting someone else’s images, text or video into your company’s website without permission could expose the company to copyright or trademark infringement suits, among other claims.
How might misuse in social media undermine company trademarks?
Companies today use their websites and social media to communicate about their products or services. Specific employees may be assigned to prepare and/or post content. These employees should be informed about how to use the company’s trademarks to further develop the brand and maintain existing rights. If employees misuse these trademarks on the company’s sites, they may unknowingly undermine the value of the brand, and perhaps cause problems for trademark renewals or other filings.
Some employees may also use the company’s marks on personal social media. For example, an executive might use a company logo rather than a headshot on his or her Facebook page. Any statement made on these pages about company business could be seen as a formal company representation, and perhaps cause problems for the company with the Securities and Exchange Commission or other governing bodies.
What can you do to protect against these pitfalls?
- Create your own content, rather than relying on design elements you see on other sites. This may have a higher upfront cost but could reduce your litigation exposure in the long run.
- Seek a license to use any content in which you are interested, and pay the appropriate royalty fee for its use. There are organizations that accept those royalty payments on behalf of content owners.
- Obtain images, videos or other content from a valid image collection service, authorized by the copyright owner.
- Ensure employees understand the source of the content they plan to use before they upload it to the company’s site. They should be trained to avoid the impulse to right-click, ‘save as’ and then upload.
- Avoid using a competitor’s trademarks to advertise your own goods or services.
- Ensure employees understand the appropriate use of trademarks.
- Establish a social media policy that includes explanations of limits on use of the company’s trademarks.
Christina D. Frangiosa is an attorney at Semanoff Ormsby Greenberg & Torchia, LLC. Reach her at (215) 887-0200 or email@example.com.
Find about more about privacy and intellectual property law on Christina’s blog.
Insights Legal Affairs is brought to you by Semanoff Ormsby Greenberg & Torchia, LLC