Anna Mercado Clark and William D. Christ, Protecting Company Data

Protecting Company Data in Multiple Ways is Crucial

Technology opened digital doors into every company’s operations, making data security increasingly important in fending off ever-evolving hacking techniques.

Companies can protect themselves by taking some sensible steps, such as keeping email servers separate from other operations. For example, servers that handle sensitive customer information should be separated from computers that store credit card numbers, said Anna Mercado Clark, a partner in Buffalo-based law firm Phillips Lytle.

Companies have learned the hard way that extensive steps to secure their information offer little help if a hacker gains access to their systems through third-party vendors, said Mercado Clark, who has specialized in data security issues since 2010 and is a leader in the firm’s data security and privacy and e-discovery and digital forensics practice teams.

“Think about the access you are giving to vendors,” she said, adding: “You are only as good as the weakest link in your chain.”

She recommends that companies audit their vendors’ security systems once per year.

Protecting data also means ensuring sensible backups in case of traditional disasters, such as fires and floods, said William D. Christ, a partner with Phillips Lytle. The company has specialized in data security since the 1990s.

Cloud systems that store sensitive information off-site make sense for security reasons but also as a precaution in a crisis, like when a flood hits a company’s main site, Christ said.

Companies will face liability issues, too, if they haven’t taken prudent steps to protect data, said Joseph S. D’Amico Jr., a senior shareholder in the litigation department of the Lehigh Valley, Pennsylvania-based firm of Fitzpatrick Lentz & Bubba.

“Every business needs to show it has taken steps to make sure it has protected information,” D’Amico said.

Mercado Clark said advance planning is critical, including determining what information is essential and what is nonessential. That helps companies better pinpoint priorities when it comes to restoring data and operations. Companies might think to protect certain sensitive data but find out too late that phones or other electronic equipment cannot be used, Clark also said.

Backups and redundancies need to be carefully planned and executed, observers said.

“Carefully think through all of the items — physical and digital — that might be wiped out in a disaster, as well as potential liabilities to third parties which might result from the conduct of your business,” said Kelly Smith Watkins, an attorney with Norris McLaughlin, which has offices in Allentown, Pennsylvania, New York and New Jersey.