Cyber liability may have been an exotic notion as recently as a couple of years ago. But today, even after notorious breaches, some organizations still don’t appreciate that leaving firewalls and other technology-based precautions to the “IT Guys” won’t cut it. Effective management of a data security incident benefits from adequately addressing risks at all levels in advance. To this end, based on my Cloud and HIPAA work and what I’ve learned from my colleagues, I humbly propose 10 New Year’s Resolutions and questions to get conversant on high-level issues (with the normal disclaimer that they are for informational purposes only without legal advice or opinions):
- Know the Data. If you take comfort that you’re not a government contractor with details about troop deployment on un-encrypted laptops or a healthcare company with patient information in the Cloud, or if you’ve relegated “PCI Compliance” to something rote, take notice. Any non-profit, low-tech or other company has likely saved, among the more obvious, benefits information, background check results, payment data, emails, lists of job applicants, vendors, customers, and other non-public personally identifiable information. For a laundry list, check out the risk factors in any 10-K or offering memorandum.
- Map the Data. On what servers and in which data centers does it sit? How is it routed? Is the company relying on the now-invalidated safe harbor for transfer from the EU to the U.S.? Who is supposed to have access? Through which systems? It’s the atypical circumstances that few remember. For instance, does an auditor transmit information out of the country in violation of local rules? Or, when are vendors brought inside the firewall? What about a deal discussion and due diligence?
- Go on a Data Diet. Be judicious in maintaining online stores of former customers or decades-old records. Aside from reputational damage, a company’s breach liability is in part a function of each individual whose information is improperly disclosed. Think notice to those impacted, identity restoration and credit monitoring, and other remedies. A recent settlement enabled millions of individuals each to claim up to $10,000 in costs. So why not minimize the universe of discourse?
- Own the Privacy Policy. Simply posting a form isn’t enough. Treat it as a live document. For starters, express informed consent about how data may be used is a standard that varies across jurisdictions. And can an individual really “rest assured that personal information will never be shared with a third party,” as the conventional text goes? Companies must contemplate and account for Cloud storage and computing, cross-border transfer, M&A, and even a sale of its own assets in bankruptcy. The FTC has actually required new affirmative opt-in by each affected individual once a proposed transaction would “sell” information in violation of a company’s own privacy policy (and regardless of whether that policy would otherwise have allowed unilateral modification).
- Train Everyone. The biggest defense force is the population using a company’s systems day in, day out. Deputize them to be on the lookout. Maintain sensitivities to old reliable precautions–strong, protected passwords, anti-virus software for home computers used remotely, confidential document handling, and locked work stations and devices. Messages tend to stick when people learn something interesting or even complicated. Teach about spear-phishing, trojans, and the rest of hacker alphabet soup. Demonstrate manifestations of malware. Quiz about incident escalation practices. Certify employees and vendors regularly and keep them abreast of changes.
- Test Systems. Compliance with good practices is not static. Just as company technologists should run regular penetration tests to find back doors, it’s critical to administer a cybersecurity regime that tracks overall Company efforts. In the context of broker-dealers, which hold sensitive customer information, the SEC recently recognized the importance of written information security policies, along with periodic audits and risk assessments. Such continuing attention better equips a company to overcome weaknesses and enables officers and directors to provide oversight. It also lays the groundwork to dispatch lawsuits and government investigations handily.
- Conduct Incident Response Drills. My colleagues whose phones might ring in the middle of the night live near airline hubs so they can quickly reach the scene of the crime. But triggering a well-rehearsed sequence is far preferable to telegraph preparedness and saves money. Aside from calling your insurance agent, breach notifications are required under state and some federal laws. A material incident may be reportable on form 8-K. Have a system for figuring out what happened, how long that process takes, what customers, products or services were impacted, the extent to which it could have been avoided, and how to tamp down continuing vulnerabilities. It’s admittedly no fun. Responding to a significant breach is stressful, but is easier to handle well when there is a plan in place that has been tested, incorporates years of experience and lessons learned from hundreds of others’ breaches, and has been agreed upon by stakeholders. Taking simple steps now makes it easier and more likely that the organization will respond well when a breach happens.
- Get Insurance. It’s less about whether to have coverage for cyber liability, which is usually excluded from general commercial policies. Rather, what protection is worthwhile? Incident response coverage is typical. What about the expense of offering credit monitoring to individuals? Is corporate information covered? Business interruption is often overlooked. Does the policy include events and claims anywhere in the world? Are there exclusions for rogue employees or failure to abide by policies? Have likely defense costs and penalties been factored in? Having said all of this, the best “insurance” is every measure taken aside from purchasing the policy itself!
- Do it Yourself vs. Due Diligence Hell. Too many cutting-edge companies finally entertaining suitors or financing end up facing the unpleasant reality that they didn’t exactly have their cybersecurity ducks in a row. Showing that you’re on top of cybersecurity should help preempt overbearing diligence and the most cumbersome reps and warranties that a buyer might try to demand. The review will start with public information like well-articulated risk factors in ’34 Act filings which, by implication, may signal a nuanced approach to cybersecurity. Closer examination will cover the ‘all of the above’ category (please see points 1 – 8!). And have your latest risk assessment ready because the other side is surely bringing its own privacy and security specialists — and may use a forensic expert if warranted.
- Get the *Real* Checklist. Of course this isn’t it. New laws are continually being enacted (like the Cybersecurity Act of 2015 and Europe’s recently unveiled General Data Protection Regulation). Part of showing that an organization has not acted negligently with respect to cybersecurity is proving that its conduct is reasonable, which requires coordinating efforts across functions, and reviewing practices and coverage regularly.
* * *
In the cyber age, no company is Ft. Knox. Attack techniques change. But thorough prophylactic measures go a long way toward mitigating exposure.