How to Reduce Your Company's Attack Surface

Data-breach advice from attorneys in Northern California

California is the winner of an unwelcome title: the state with the most data-breach incidents (1,500—twice as many as runner-up New York) and exposures of consumers’ personal records (5.6 billion total) since 2008.

The state’s size and concentration of tech and internet companies no doubt has much to do with these metrics, but the problem is worrisome for all business owners who increasingly rely on data as the currency of commerce.

“You’re looking at a situation where people—and businesses equally—don’t even recognize how much exposure they have,” says Jack Russo, managing partner and intellectual property litigator at ComputerLaw Group in Palo Alto. A company’s “attack surface,” as he calls it, increases along with its social media and internet presence.

There are some proactive measures, many of them low-cost, to decrease the risk. Litigator Daniel Zarchy, with Buchalter PC in San Francisco, recommends that companies inventory the data they store, create a coding system based on sensitivity, and restrict employee access accordingly. Problems tend to arise, he says, when businesses store more customer data than their customers realize, or they fail to enact basic security protocols and patches, as was alleged in the class action suit against credit-reporting agency Equifax, whose 2017 data breach ended in a $425 million settlement.

Having an informed team is half the battle. “There are a lot of organizations which provide commonsense, non-tech-speak company training and policy guidelines,” says Zarchy, who is certified by the International Association of Privacy Professionals. California-based nonprofit Secure the Village, for example, offers digital resources, webinars and in-person sessions. Guidance is also available through the U.S. Small Business Administration and New York-based nonprofit Center for Internet Security

To be effective, safeguards must be applied consistently. Although minimum security procedures like password protection are widely used on computers, tablets and cellphones, other portable technology is often overlooked. “Storage devices used in the course of business, like a thumb drive or external hard drive, should be password-protected,” advises Anthony Isola, an employment & labor attorney at Fisher & Phillips in San Francisco.

Two-factor authentication is another underutilized tool, especially helpful for fending off phishing. It’s a good way to make sure a hacker can’t get into your system with just a password. And setup often takes just a few minutes.

Of course, the potential for human error, coupled with society’s reliance on technology, mean businesses must operate under the assumption of when, not if, a hacking attempt will occur.

Russo says it’s pretty much a game of cat-and-mouse—”the mousetrap gets more and more sophisticated, but the mice get the cheese, regardless of how much the mousetrap is bolstered.”

So what to do when a breach takes place? The lawyers offer four tips:

  1. Patch the security hole,
  2. investigate,
  3. notify customers and
  4. recover.

Most critically, have a prearranged game plan that identifies key roles, such as the person in charge of overseeing each task.

“Figure out what was taken,” advises Zarchy. “You have to know that before you can notify anybody, because you don’t want to stir up panic when you don’t actually have the answers.” He notes that it pays to check your insurance policy: “Sometimes companies have insurance that will pay if they shut down operations for a few days to figure out their data situation.”

All 50 states require companies to inform consumers when their personal information is exposed. In addition, California has a new consumer-privacy law that took effect this year. Although its mandate targets mainly larger companies, Zarchy notes that ignoring basic security guidelines can get any size—or type—of business into trouble through civil liability. Last, consider involving law enforcement or pursuing an injunction against the cyber-criminals if they can be identified.

For more information on this area of law, see our overviews of business litigation and intellectual property.

Other Featured Articles

Intellectual Property Icon Intellectual Property

Tips for Licensing Your Intellectual Property

What the laws say in Ohio when you want to grant the use of your idea

Intellectual Property Icon Intellectual Property

What is Fair Use, Anyway?

When using a copyrighted work is not infringement in North Carolina

View More Intellectual Property Articles »

Page Generated: 0.064677953720093 sec