Retail. Financial services. Health care. Energy. Not an industry has been spared when it comes to recent data and cyber breaches, and the colossal damage that occurs to the interests of the company, its employees, and third parties (customers, vendors, etc.) due to a breach. Whether by employees disclosing things through social media or by outside hackers wreaking havoc, the news continues to be riddled with cyber-related issues that your company should be thinking about if you haven’t already.
The government continues to take action. For example, the Florida Senate just recently passed unique legislation imposing certain obligations on companies to secure personal information and to provide certain notice when a breach occurs. Among the highlights of the Florida Information Protection Act of 2014:
- Personal information is defined to include an individual’s first name or first initial and last name, together with one or more of a social security number, driver’s license or passport number, bank/credit/debit card number and password, medical- or health insurance-related information, and e-mail address and password.
- Covered entities must take “reasonable measures to protect and secure data in electronic form containing personal information.
- Covered entities must comply with certain substantive and procedural notification requirements upon a breach of security affecting 500 or more individuals in Florida. Separate notice requirements apply to the affected individuals, as well as to the State Department of Legal Affairs.
Employer Take Away: What should you as an employer take away from this development?
You know an issue is a critical component of an employer’s operations when government entities – any government entity – can act relatively quickly on an bipartisan basis to propose and adopt legislation addressing the issue. Here are 4 questions for you on this one:
1. Has your company internally audited whether you are at risk for a data breach prior to a breach occurring?
2. Has your company developed protocols and practices for how to respond internally and externally in the event of a breach?
3. Has your company reviewed existing and potential insurance policies as one strategy for cyber risk management? An interesting article in today’s New York Times talks about developments with cyber insurance.
4. If you’re not in Florida, has your company figured out what the data breach requirements may be in your company’s jurisdiction?