By Kelly Frey
In the digitally driven marketplace, most companies understand that personal data collected on their websites must be protected. What isn’t quite so obvious is that even when a business exercises due diligence in protecting such data, it can still be liable for loss of data from external security flaws, such as the recently exposed and deeply pervasive Heartbleed bug which made the widely used OpenSSL encryption software – and the personal information OpenSSL is designed to protect – highly vulnerable to attack.
Could small businesses using OpenSSL encryption have thwarted the Heartbleed flaw outright? Probably not – it was a pervasive defect that went unpatched for months. But regardless of whether your business could have discovered or fixed the bug, it could still be liable for damages resulting from it.
The Power of Policies
Though most of the websites vulnerable to the Heartbleed bug have been fixed, other flaws in Internet security will inevitably arise. Business owners and CIOs should take this opportunity to be forward-thinking about how to protect their customers and themselves before they find themselves in a sticky legal situation.
- Revisit privacy and security policies. All companies need to have privacy and security policies posted on their websites and update them in response to any known vulnerabilities. At least once a year, and especially after any known security vulnerability, you should edit your security procedures and your posted privacy and security policies to ensure they are factually correct, consistent with industry standards, and personalized to reflect the digital environment within which your business actually operates.
- Be ready to respond. It is critical for companies to have explicit remediation processes in place to quickly address security issues. For smaller businesses, this may require hiring someone with internal Internet security expertise or seeking out consultants to assist in quickly responding to security issues. Failure to adequately respond to security issues could substantially increase your business’s legal risks and liability.
- Plan for “the next bug.” As a business, if you’re going to engage in digital commerce, you must incorporate the risks of security issues inherent in the Internet and budget and plan accordingly. Allocate funds to both prevent security breaches and to quickly deal with them when they do occur. Make sure your insurance policies cover liability associated with security breaches and loss of data. Also, have an “escalation list” of those professionals such as lawyers, digital forensic specialists and public relations professionals that can immediately assist with damage control and remediation if your consumers’ information is compromised.
Kelly Frey is a partner in the Nashville office of Dickinson Wright, PLLC. He focuses his practice in technology law and intellectual property law. Reach him at firstname.lastname@example.org or (615) 620-1730.