In recent years, as an increasingly large amount of our information is stored on computers and throughout the internet generally, the notion of cyber security, especially in relation to Personally Identifiable Information (PII), has become a progressively important and even daunting concept. Under Minnesota statute 325E, “personal information” means an individual’s first name or first initial and last name in combination with (1) their social security number, (2) their driver’s license or MN identification card number, or (3) their account, credit, or debit card number when in combination with any required security code or password that allows someone access to an individual’s financials. In other words, it’s information that, if in the wrong hands, can do a lot of damage to someone, especially in a financial sense.
On the front end, there are many ways in which a person or company can limit their exposure to the risk of others accessing PII. Generally, third-party vendors carry a particularly huge risk and because of this, contracts pertaining to privacy, indemnity, and the right to audit are widely recommended. Additionally, and perhaps most basically, when dealing with a third-party vendor, be inquisitive—ask about their security processes, the firewalls that are in place, and encryption methods. Questions like these may not only lead to increased confidence in a given third-party vendor, but also could result in a larger conversation about risk management or even new ideas for your own security of PII. More internally-based precautions to consider would be getting some kind of cyber security insurance, looking into the actual physical security of certain hardware, properly training personnel on network security protocol, and having an identifiable plan for if things go wrong.
But just what happens when a breach actually occurs and PII is exposed? A widely accepted six-step incident response cycle was developed by Kurtis Holland in 2014 with this very question in mind. First, it is ideal to have prepared for an incident, as evidenced through a plan. Second, you must be able to identify the breach, usually by way of an anomaly or detection software. Third, contain the breach as much as possible in order to mitigate the risk. Fourth, utilize either internal or external IT professionals in order to eradicate the malware. Fifth, resume normal functions and fully recover. Sixth, and perhaps most importantly, evaluate the incident that occurred and if necessary, make the proper adjustments to avoid it happening again. It is also worth noting that when PII has been acquired by an unauthorized person, it is statutorily required that the person or business breached sufficiently disclose the incident in a timely manner. How to do so in compliance with the law, while still protecting your business is an important process.
When data breaches do occur, one can expect things such as lawsuits to follow not long afterwards. For example, when the infamous Target breach of 2013 happened, effecting approximately 41 million people and thus one of the bigger data breaches in recent history, what resulted was that the company had to pay $18.5 million settlement to 47 states and the District of Columbia. It is for this reason that it is highly recommended that you discuss things such as PII, cyber security, and breach liability with an experienced lawyer.