Doing Business in 2019? You Should Be Thinking About Data Security

February 6, 2019

This is part one of a three-part series about data breaches and the requirements of Pennsylvania law relating to data breach notification.

If the events of the past few years are any indication, the scale and frequency of data breaches will only increase in 2019. According to Experian’s 2019 Data Breach Industry Forecast, in the first half of 2018, the number of records compromised exceeded the total number of breached records for all of 2017.

In the event of a data breach, legal compliance obligations can be daunting, particularly if your business stores personally identifiable information for residents of other states. All 50 states have data breach notification laws, each of which is slightly different. And do you store information about residents of the EU? Then you may need to worry about how the GDPR applies.

While national headline news has been made by data breaches by companies like Marriott, Yahoo, Equifax, Target, and eBay, it’s foolish to think “that can’t happen to me.” After all, a company is a company, no matter how small – we all experience technology risks. For example, a Central Pennsylvania company recently settled litigation stemming from an April 2014 data breach case which required them to pay damages to class action participants and over $200,000.00 in legal fees. Not included in these dollar amounts are the reputational harm and the time spent dealing with the data breach and its aftermath rather than on revenue-generating activities.

Nearly all businesses store information in a computerized format, and as you’ll see in the next post in this series, as soon as you store personal information on a computer, you are likely subject to data breach notification laws.

Not sure where to start? Here are a few resources to get the process started:

Federal Trade Commission – Protecting Small Businesses

Lancaster Law Blog – A Company’s a Company, No Matter How Small – Being Mindful of Technology Risks As a Small Business

The Balance – What Does a Cyber Liability Policy Cover?

With the foundation provided in the above resources, we recommend contacting your information technology professionals and legal counsel to assess your current risk and to develop a plan to mitigate that risk. That may involve a combination of technical changes, updating policies, processes, and procedures, changes to contracts, and making sure you have appropriate insurance coverage.

Matt Landis is an attorney at Russell, Krafft & Gruber, LLP, in Lancaster, Pennsylvania. He received his law degree from Widener University Commonwealth School of Law and works regularly with business owners and entrepreneurs. Matt is one of the founding members of the RKG Tech Law Group.