(801) 980-5300

protecting customer data

Data Breaches: What General Counsel Needs to Know

Many things can keep business owners up at night. A grocery store, for example, might worry that a contaminated case of tomatoes could poison 500 guests and invoke a litany of liability. Even if a business sells a clean product like office supplies, however, bad things can happen if confidential client information is mishandled and a company has failed at protecting customer data.


Data Breach Blues

Data breaches can be caused by:

  • The failure to shred sensitive documents.
  • Improper information mistakenly attached to a mass email.
  • A link provided to the wrong parties.

Liability does not stop there, however, because companies that contract with data services including third-party credit card processors may be liable for the negligence of those providers if a data breach occurs.


Recent Incidents

Think Equifax, Target, Panera Bread, Saks Fifth Avenue and many more. Businesses can be sued because:

  • They were negligent in protecting customer data.
  • After a breach, they failed to promptly notify those involved.
  • They failed to act to mitigate the problem.
  • They never followed accepted security procedures.

If a company takes credit cards for payment, for example, it needs to follow procedures to become what is called Payment Card Industry (PCI) compliant. If this step is ignored and a breach occurs, lawsuits can follow.


EU General Data Protection Regulation

In 2016 the European Union (EU) adopted the General Data Protection Regulation (GDPR). The GDPR’s purpose was to simplify guidelines for protecting customer data. Each EU member established a supervisory board to investigate complaints and apply sanctions to companies responsible for data breaches.

In the U.S., at least 30 states have recently introduced or passed new data breach statutes, and only Alabama and South Dakota do not require data breach notification.


General Counsel’s Role

Company general counsel (GC) needs to guide clients toward security risk mitigation. Some beginning steps include:

  • Ensure that the company manual includes a section regarding the handling of sensitive client/customer information.
  • Ensure the company is protecting customer data that is kept on-premise.
  • Demand that third-party vendors, like cleaning services, properly vet employees and have procedures in place to educate staff about privacy concerns.
  • Require the company to update its privacy policy as often as necessary to stay compliant with rapidly changing regulations.
  • Secure all servers and computers.
  • Only save data that is necessary for business operations

Data breaches can have devastating consequences for all parties involved, and GCs need to guide their clients through the secure information management process before bad things happen.


Johnstun Law focuses on providing established businesses and entrepreneurs with the day-to-day legal services needed to succeed. For more information on how we can help your business succeed, call us at 801-980-5300, or via contact form.

Like this article? Subscribe to Johnstun Law’s email alerts for startup information, business updates, and relevant news.