How Publishers Can Protect Their Data & the Privacy of Their Customers
In the “data wars” being fought today, hackers are targeting computer systems and individuals’ accounts, meaning that consumers are often their top targets and victims. But that does not mean that businesses are immune -- far from it. Businesses are composed of people and the most valuable data, and the richest targets available, relate to human beings. In book publishing, the data these hackers want are subscriber information, including credit card information, publisher-author contract content, delivery and publication dates, and author royalty payments or calculations. And as publishers collect more data about their readers online, through ecommerce and direct marketing efforts, they may be leaving those customers and themselves vulnerable to hackers. It’s a war no one wants to have to fight, but we all have to be ready.
What are the steps publishers need to take to protect their data assets? Here are some steps to consider:
- Create a strong data governance program and data security program
- Create a data breach incident response plan
- Encrypt your data
- Use arbitration clauses in agreements that address potential class actions
- Obtain cyber-security insurance
- Retain a data breach resolution provider
- Exercise due diligence in selecting third-party vendors
- Create best practices for how to handle your own data
These are great conclusions, but what actual steps and real-life actions would you have to take to implement these suggestions?
Let’s take a look at the three most important points above and unpack them. Bear in mind that many if not most of these will have to be wrangled by (a) your IT staff (as supplemented by any outside experts you may want to retain) and (b) your lawyers, inside -- if you have a legal department -- or outside counsel, hopefully someone who has some experience and expertise in this field.
1. Look Into Insurance Before a Data Breach
This is the kind of remedy, like flood insurance, that you turn to only after something bad happens -- it won’t prevent a problem, but it will soften the blow, in the form of the ability to pay for the remedial steps you may have to take in the event of a data breach.
What would insurance cover? The costs of remediation, for starters. Depending on how many actual “records” you have, the cost of sealing the leaks once your data is “breached” can be significant. This includes the costs of making notification to regulators and customers alike.
2. Create a Strong Data Security Program
In order to create a data security program, publishers need to take the following steps. First, define what information needs to be protected ("crown jewels"). Second, understand how this information is acquired. Third, ask where does it reside within your organization. Fourth, identify who has access to it. And finally, observe how that data is being processed. In short, to have a good defense, you need to first determine what you are defending.
Once this "inventory" is complete, specific protection mechanisms and controls need to be defined along the usual lines: people, processes, and technology. It is beneficial to bring an information security consulting company into the mix at this stage; someone with significant experience and solid references. Engaging consulting resources allows you to learn what your peers are doing, what works, and what does not. A full defense-in-depth strategy specific to your organization needs to be formulated to reflect next steps on both the tactical and strategic levels.
So what does implementing this sort of program cost? That will depend on the different levels of maturity of each oganization’s information security, but these numbers may help. If you hire an in-house information security professional, you can expect to pay $100k per year. If you hire an outside consulting firm, you can expect rates of around $200 per hour.
3. Identify Disclosure Obligations
If a data breach occurs, you may need to be prepared to notify state and federal officials, depending on your location. Notification requirements vary widely state by state, and you may have affected consumers or credit reporting agencies located in a variety of states. For more information on specific state disclosure obligations, click here.
Publishers also need to consider disclosure to the the public and can expect a certain amount of publicity after a data breach. If you have a PR firm on retainer, ask them for their “data breach” package to handle communication to the media and public.
In the event the breach touches your employee files, you may have to notify HHS (under HIPAA) for any health or health insurance related files.
There are many more details to manage; this is just the beginning. The internet is a great marketing tool that’s driving new business opportunities for publishers in ecommerce, email marketing, and online subscriptions. But all of these opportunities can open even the best run companies to threats. Thankfully, there are tools and disciplines that will allow you to function with the benefits of technology, and not live in fear. It’s simply a matter of preparation.
This article is not designed to provide legal advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for legal notices.
Sam Fifer has extensive experience in the fields of intellectual property, and entertainment and media law, including litigation and counseling. He is the US practice leader of Dentons' Intellectual Property and Technology practice.