When household brands suffer data breaches, you’re on notice that your business could be the next potential target for cybercriminals.
This has the potential to impact your brand, reputation and worse. There are also regulatory and legal obligations in most jurisdictions that require you to safeguard and secure consumer data. Fail to do this and you risk exposing yourself to legal liability and even litigation from your partners, clients and customers.
The sensible thing to do is to have a policy and plan of action for dealing with cyber security breaches, with a clear awareness of the legal implications.
If you are not sure how prepared your business is for litigation, start by asking these 3 questions:
1. How secure is your operation?
Your cybersecurity program not only needs to be as hacker-proof as possible, it needs to be ready for litigation. The better your cybersecurity program protects your assets against reasonable and realistic threats, the better it will stand up in court when someone’s questioning how seriously you took your duty of care. A court is unlikely to expect your cybersecurity program to be bullet-proof, but it must be highly defensible. You must be able to show that it was given careful thought and was reasonable in all circumstances.
2. Are my staff up to speed?
Your staff can be the weakest link when it comes to cybersecurity, so make sure they understand their responsibilities. Consider the need to upskill, re-hire, or supplement IT staff if you don’t have people with right skill set. You need someone with exemplary security credentials, an individual who can take the witness stand and speak about your security measures with real authority.
3. Other questions to ask
You also need to be constantly asking yourself these questions - things you could be asked in court by a lawyer trying to prove you didn’t do enough. So, make sure you have watertight answers before declaring your cybersecurity program is up to standard.
Are we sure what we’re doing is best practice? How do we know? Can we show how we came to these conclusions?
What security measures do we use to protect our data?
Have we declared our objectives and plans in writing, so everyone is clear?
Does our cybersecurity program take into account business strategy—are we across any planned mergers?
Do we know the risks posed by our vendors and other partners?
Are we mitigating all the potential cybersecurity risks?
Do we have an emergency plan for a sudden attack? Why is it the best plan possible? Does everyone know what it is?
Has everyone been trained in the physical security of IT (e.g. laptop theft) and social engineering attacks?
How are we making sure this isn’t all written out and just put in a drawer?
Fail to ask the right questions and you risk exposing yourself to a fine, litigation or worse. The key is to be prepared and have an effective cybersecurity policy in place before an event occurs.