//////////////////////
Not if, but when HEALTHCARE / ENERGY / AEROSPACE / TECHNOLOGY
Arizona businesses need to realize the risk of data breaches, experts say By MICHAEL GOSSIE
“It will never happen to us.”
That misperception puts businesses at risk for data breaches, experts say. “The most common mistake is assuming your company won’t be breached because you’re not a large, multi-national company similar to the ones whose breaches are covered by the national media,” says Ari Bai, shareholder at Polsinelli. “In reality, however, every company is a target. Hackers, be they individual vigilantes, criminal organizations or nation-states, look for any and all data, and often the most accessible is that in smaller companies. Plus, small companies make for good ‘practice’ for hackers. Thus, when a company ignores the risk and does not set forth the proper protocols for protection and response, it is essentially asking to be breached.” The 2015 Association of Corporate Counsel (ACC) Chief Legal Officers Survey revealed that one quarter of general counsel report their companies have been hit by data breaches. And according to the 2015 Cyberthreat Defense Report, more than seven in 10 respondents said their networks were breached in 2014, up from 62 percent in 2013. The average cost of a data breach in 2013 for companies in the Unites States was $5.85 million. The scariest part about the threat of a data breach is that experts agree that there is no way to completely protect a business from becoming the victim of a data breach. “Once we develop a way to protect ourselves from something, the hackers are already using a new technique,” Bai says. “This is
86
AB | May-June 2015
why preparation is so important. Liability for lack of preparation can financially devastate a company. You are going to get hacked — with preparation, you don’t have to lose lawsuits.”
Being prepared Like any potential business catastrophe, limit a business’ risk of becoming the victim of a data breach starts with preparedness, according to Paul Stoller, shareholder at Gallagher & Kennedy. “Every company should work with its legal professionals and IT staff to create and to implement a comprehensive data privacy and security plan, which will help to remove, or at least to reduce, the risk of many of the common causes of breach,” Stoller says. Leon B. Silver, office co-managing partner at Gordon & Rees, says all companies, no matter their size, need to adopt data security as a core business practice throughout the organization and not look at it as something that is taken care of by one department or by an outside vendor. “Policies on mobile devices, passwords and encryption are just part of an overall culture of data security awareness,” Silver says. “But be aware, a breach can happen.” Heather Buchta, partner at Quarles & Brady says business leaders need to engage in some internal due diligence and ask themselves these questions: • What internal policies are in place to protect data? • Is there a policy against removing devices from the business location? • Is there a policy to encrypt data? • Even more basic, what kind of data does a company have?