“One of the most common misconceptions on data privacy with respect to the new internet of things,” states Irvine employment attorney Usama Kahf, “is that if a data breach occurs, there must be liability against somebody. But you know what? Data breaches happen to the best of us, they happen even if you do everything right and take every precaution technologically feasible; it still happens.”
“If things like this go to court, it’s usually a battle of the experts as to what’s considered best practice,” he says. “What’s best practice for a small mom-and-pop shop in a small town versus a multinational company in a metropolitan area? It’s going to be a different standard based on circumstances.”
No matter his client’s size, Kahf recommends they undergo an external independent audit of their data security—emphasis on independent. It’s essential this review be undertaken by an IT specialist who isn’t part of the company, and with whom there is not a prior working relationship, so as to constitute a credible assessment that will hold up under later scrutiny if something goes wrong. Kahf emphasizes that even smaller companies, with fewer than 25 employees, should undertake this precaution regularly—though some businesses are more at risk than others, such as medical or financial firms. For most companies, he recommends a security audit at least every three years.
But even with best efforts, data breaches do occur. What then? Kahf advises his clients on managing circumstances upon discovery of said breach. This will initially entail notifying those who may have been affected, and then fielding their calls, which can be challenging.
“People are understandably angry when their private data has been breached, but what most people don’t know is that there is no absolute liability for data breach,” Kahf explains. Liability is assessed based on whether the company subject to the breach failed to take reasonable steps under the circumstances to protect the information. “Mistakes can happen to the best of us, but as long as you did everything in your power to try to prevent it, and it happened anyway, that’s OK,” Kahf adds. “Then you would be judged on your post-breach actions. Even though it’s not your fault, you still have to take certain actions to try to remedy or mitigate harm.”
Even in our personal lives, we’re all at risk for disclosure of our private data. Does Kahf have any advice? “I recommend that people be more vigilant. Some people are less careful with their data than others. For example, I don’t think you should ever have a public Facebook profile, unless you need one for business purposes. Even a private one can still get hacked. But the public one is a source of information for people who want to hack your data. They’ll learn all sorts of things about you, like your cat’s name, your child’s name, your birthday, things they’ll plug into their algorithms to figure out what your passwords are. I think people just need to be more vigilant who they share their data with and what they do online.”
If your firm or business is responsible for others’ private data, be sure that you are doing all you can to protect it. Talk to a data privacy attorney about what steps you should take to prevent data breach and shield your business from possible data breach liability.