Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

• Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
• Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
• Evaluate and routinely measure employee security training levels.
• Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
• Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
• Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
• Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
• For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
• Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
• Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
• Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
• Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
• Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
• Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
• Consider the company’s overall insurance program and whether cyber risks are covered.

Authors

Matthew J. Siegel – Member, Cozen O’Connor
Ethan Price-Livingston – Associate, Cozen O’Connor

The NIST guide is divided into five basic categories (identify, protect, detect, respond, and recover) and provides useful worksheets to help identify important types of data. We have reviewed NIST’s guide and supplied an overview of the takeaways:

1. Know the Risks

Hackers and cyber criminals pose one kind of threat to data security, but environmental incidents and equipment failure can be equally devastating to the security of business information. Security threats can come from personnel within a business as well, so vet employees and provide security training.

1. Identify Data

The first step in any risk management plan is to identify what data needs to be protected and understand what vulnerabilities exist. Create a list of all the information a business uses (e.g. customer names, e-mail addresses, banking information, employee information, etc.) and know who has access to such information. Additionally, it is important to identify any vulnerabilities in a business’s systems. It is highly recommended that companies engage an outside consultant to conduct a mock attack to identify any system vulnerabilities.

1. Protect

NIST’s guide provides excellent recommendations on the use of encryption, securing wireless access points and installing network firewalls. However, the easiest and most often overlooked recommendation is to train employees on security policies and establish clear guidelines on how they can best protect business information.

1. Detect

While some security events are easily detectable, many are not. Businesses should consider implementing anti-virus software that is designed to detect intrusions. Additionally, it may be worthwhile to use a program that keeps a log of daily activity that occurs on the network. These logs may show trends that indicate an intrusion has occurred. An outside consultant can be a valuable tool in interpreting these trends as there may be a more serious problem that is not readily apparent.

1. Respond

It is critical that every business develop a response plan to be followed after a security event has occurred. Appoint a person who will implement the plan, include the contact information of all internal personnel who should be notified, as well as directions on how to quarantine infected systems, if necessary. Furthermore, many states require customer notification after a security event. Thus, it is important to know state notification laws and how to properly comply.

1. Recover

After a security event, it is important to evaluate the response procedures. Assess any weaknesses in the plan and make adjustments as needed. If possible, restore backed up data or implement a backup procedure for business data. Companies should also consider cyber insurance as part of any risk management plan.

The full guide can be found here: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.

Authors

Matthew J. Siegel
Matthew J. Siegel works in the Global Insurance Department, focusing his practice in the areas of insurance coverage, cyber and technology risks, electronic discovery, construction litigation, and commercial litigation. He also co-chairs the firm’s Privacy, Data and Cybersecurity Industry Team and is a… more

Email:msiegel@cozen.com
Phone: (215) 665-3703
Philadelphia

Taylor P. Widawski
Taylor is an associate in the firm’s Seattle office. Taylor’s practice focuses on litigation with an emphasis on technology and privacy related matters. Taylor has experience defending against consumer class actions as well as litigation involving software licenses and general business disputes. She… more

Email:twidawski@cozen.com
Phone: (206) 224-1285
Seattle

Underlying the case is the “employer mandate” set out in the ACA, which requires that all businesses with 50 or more full-time equivalent (FTE) employees provide health insurance to at least 95 percent of their full-time employees or pay a monthly fee. In June 2013, amusement chain Dave & Busters reduced the number of FTE employees at its Times Square store by reducing the number of hours employees were scheduled to work, according to the Marin complaint. This was done in an effort to reduce the costs the company would incur under the ACA’s employer mandate beginning in 2015, the plaintiff alleged. Significantly, before the reduction, the plaintiff had been covered under the company’s health insurance plan, which qualifies as an employee welfare benefit plan under ERISA.

The plaintiff alleged that in reducing employees’ hours in this way, Dave & Busters violated Section 510 of ERISA, which makes it “unlawful for any person to discharge, fine, suspend, expel, discipline, or discriminate against a participant or beneficiary for exercising any right to which he is entitled under the provisions of an employee benefit plan …” The plaintiff’s theory — advanced on behalf of a proposed class estimated to comprise 10,000 members — is that the curtailment of her working hours constituted discrimination against her “for the purpose of interfering with the attainment” of her right to health coverage under the employee benefit plan.

In support of this theory, the plaintiff alleged that Dave & Busters specifically intended to interfere with her right to health insurance. The complaint states that the company’s general manager and assistant general manager claimed during meetings that the ACA would cost the company 2 million dollars and that it was reducing the number of full-time employees in an effort to reduce those costs. The complaint further alleges that this plan was executed on a nationwide scale, resulting in employees’ losing their full-time status, suffering reduced pay, and losing their eligibility for medical and vision benefits.

Dave and Busters moved to dismiss the complaint, arguing that:

1. Because neither ERISA nor the ACA gives an employee the right to ACA-compliant health coverage, the plaintiff could not meet her burden of showing that the company took any action “for the purpose of interfering with the attainment of any statutory right”;
2. Plaintiff failed to state a claim to the extent that she sought “to impose liability based on an alleged deprivation of coverage under an ACA-compliant health plan that did not exist at the time of the challenged reduction”;
3. The complaint alleges only that the company reduced employees’ hours in 2013 to avoid incurring expenses under the ACA’s employer mandate beginning in 2015, with no allegation that the company did so for the purpose of depriving employees of then-existing benefits. Therefore, Dave & Busters argued, the complaint fails to plead a key element of a claim under Section 510 — specific intent to interfere with existing benefits; and
4. The complaint fails as a matter of law for want of alleged facts “showing that plaintiff (or any putative class member) was ‘targeted’ for adverse employment action based on any ERISA-related characteristic distinguishing her from employees whose hours were not reduced.”

After full briefing, oral argument, and supplemental briefing, the U.S. District Court for the Southern District of New York focused on the argument that an employee is not “entitled” to benefits not yet accrued, and that a “plaintiff must show more than ‘lost opportunity to accrue additional benefits’ to sustain a [Section] 510 claim.” The problem with that argument, the court said, is that the complaint does not merely allege lost opportunity to attain benefits in the future. Rather, “[t]he complaint, fairly read, alleges that Defendants intentionally interfered with [Plaintiff’s] current health care coverage, motivated by Defendants’ concern about future costs that would become associated with the plant’s health care coverage.” The court found this sufficient to overcome the motion to dismiss.

The Take-Away for Employers

This case should serve as a reminder to employers that, absent any concrete legislative or judicial guidance, they must engage in a careful analysis to determine which of the following options makes the most sense given their particular circumstances:

1. Follow the employer mandate, and accept the associated costs.
2. Reject the mandate, and accept the penalty fees. While the financial exposure attendant to this option may be significant, it is predictable and finite.
3. Adjust their employee welfare benefit plans in an attempt to eliminate any contention that employees are entitled to health insurance thereunder. While this option could throw up a road block against claims like the one presented in Marin, it carries its own set of uncertainties.
4. Adjust their staffing approach to reduce the number of FTE employees covered by the mandate. AsMarin illustrates, though, this option carries potentially significant litigation risk.

For many employers, these options read like a menu of spoiled food. Unfortunately, for the time being, employers must balance the amount of expense they are willing to incur against the degree of risk they are willing to bear, and make a choice they can stomach. Moreover, if the last option is the preferred course of action, it is important to instruct management that publicly blaming the reduction in hours on the ACA or “Obamacare” could be used against the employer in an eventual lawsuit under ERISA.

Read the original article here.