An outside IT security group states that we have a vulnerability in our system security. Should I address immediately or put it on the list?
Even if there is no evidence that a breach occurred, but a security lapse exists, or has existed, then an organization may have financial exposure. So, you should address it immediately.
If the data that was potentially exposed includes personal identifiers, then organizations can face private causes of action from employees and/or consumers, typically in the form of class actions.
The other risk is from government regulators, federal and state, even if no financial data was exposed, but personal identifiers were at risk.
For example, the New York Attorney General recently fined Wegmans $400,000 for "reckless handling and exposing" of the personal information of 830,000 New Yorkers, even though there was no evidence that any data was taken and not one dollar of loss was shown.
To quote the press release:
Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers' personal information on the internet. In the 21st century, there's no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.
The final takeaway is that your data system is like a long-haul truck, subject to inspection and fines from multiple sources, even if you have never had a wreck. So, while focusing on post-breach response is important, pre-breach exposure exists as well.
Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.
If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to firstname.lastname@example.org. Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.