Legal Insights Q&A with Jason Seay
The Importance of Data Privacy Laws
Q: Why should my company be concerned about data privacy and security laws?
A: Data is a business asset and should be protected accordingly. There are numerous data privacy laws affecting small to large Oklahoma companies that are quickly changing and evolving in the face of technological innovation. Surprisingly, a significant portion of unauthorized data access incidents are due to company employees maliciously or carelessly accessing and exposing confidential company information. Data security and privacy laws can affect all companies, not just those exchanging high volumes of data.
Q: How do I determine my company’s data security issues and risks?
A: To determine what data security issues a company faces and what risks to mitigate, it is important to determine your company’s data flows: what information you collect; why you collect it; where it is located; who has access to it; how it flows between locations and parties; and the circumstances under which third parties interact with the data.
Q: Does my company need a data security compliance program?
A: Yes. A data security compliance program is the first step in mitigating cyber security risks. Depending upon the industry in which a company operates and where it collects and stores its data, a security compliance program may be required under applicable law.
Q: What should a data security compliance program include?
A: Generally, a compliance program should include: establishing and enforcing policies and procedures regarding privacy and data security; establishing programs for educating company employees and business partners about data privacy and security; establishing procedures for oversight of vendors who have access to your data; and establishing privacy incident response and breach notification procedures.
Q: Is there insurance available for cyber attacks and privacy breach incidents?
A: Commercial general liability policies typically exclude coverage for damage to electronic data and damage arising from the access of a company’s confidential information. However, some insurance companies offer coverage for certain types of claims. The coverages available under such policies typically include: security breach liability; replacement or restoration of data; business income and extra expense; extortion threats; and programing errors and omissions.