Posted in Cybersecurity, Data protection, Global
Cyber liability may have been an exotic notion as recently as a couple of
years ago. When I practiced law in Israel, we spent a lot of time
thinking about how the country’s privacy laws matched up to those of Europe and
the U.S. But today, even after notorious breaches, some organizations are still
wringing their hands.
As Israel is a high tech epicenter and home
to a countless number of startups, the issue of cybersecurity is one that is of
particular importance to the Israeli client. Effective management
of a data security incident benefits from adequately addressing risks at all
levels in advance.
To this end, based on my Cloud and HIPAA work and what
I’ve learned from my colleagues in the
Greenberg Traurig Cybersecurity and Crisis Management group, I humbly propose some tips and questions to get conversant on high-level
issues (with the normal disclaimer that they are for informational
purposes only without legal advice or opinions):
1.
Know the Data. If you
take comfort that you’re not a government contractor with details about
troop deployment on un-encrypted laptops or a healthcare company
with patient information in the Cloud, or if you’ve
relegated “PCI Compliance” to something rote, take notice. Any non-profit,
low-tech or other company has likely saved, among the more obvious,
benefits information, background check results, payment data, emails, lists of
job applicants, vendors, customers, and other non-public personally
identifiable information. For a laundry list, check out the risk factors
in any 10-K or offering memorandum.
2.
Map the Data. On what
servers and in which data centers does it sit? How is it routed? Is
the company relying on the now-invalidated safe
harbor for transfer from the EU to the U.S.? Who
is supposed to have access? Through which systems? It’s the
atypical circumstances that few remember. For instance, does an auditor
transmit information out of the country in violation of local rules? Or
when are vendors brought inside the firewall? What about a deal
discussion and due diligence?
3.
Go on a Data Diet. Be
judicious in maintaining online stores of former customers or decades-old
records. Aside from reputational damage, a company’s breach liability is in
part a function of each individual whose information is improperly disclosed.
Think notice to those impacted, identity restoration and credit
monitoring, and other remedies. A recent settlement enabled millions of
individuals each to claim up to $10,000 in costs. So why not minimize the universe of
discourse?
4.
Own the Privacy Policy. Simply
posting a form isn’t enough. Treat it as a live document. For
starters, express informed consent about how data may be used is a
standard that varies across jurisdictions. And can an
individual really “rest assured that personal information will never be
shared with a third party,” as the conventional text goes? Companies
must contemplate and account for Cloud storage and computing, cross-border
transfer, M&A and even a sale of its own assets in bankruptcy.
The
FTC has actually required new affirmative opt-in by each affected
individual once a proposed transaction would “sell” information in
violation of a company’s own privacy policy (and regardless of whether
that policy would otherwise have allowed unilateral modification).
5.
Train Everyone. The
biggest defense force is the population using a company’s systems
day in, day out. Deputize them to be on the lookout. Maintain
sensitivities to old reliable precautions — strong, protected
passwords, anti-virus software for home computers used remotely, confidential
document handling, and locked work stations and devices. Messages tend to stick
when people learn something interesting or even complicated. Teach about
spear-phishing, trojans and the rest of hacker alphabet soup. Demonstrate
manifestations of malware. Quiz about incident escalation practices.
Certify employees and vendors regularly and keep them abreast
of changes.
6.
Test Systems. Compliance
with good practices is not static. Just as company technologists should
run regular penetration tests to find back doors, it’s critical to
administer a cybersecurity regime that tracks overall Company
efforts. In the context of broker-dealers, which hold sensitive customer
information, the SEC recently
recognized the importance of written information security policies along with periodic audits
and risk assessments. Such continuing attention better equips a
company to overcome weaknesses and enables officers and directors to provide
oversight. It also lays the groundwork to dispatch lawsuits and
government investigations handily.
7.
Conduct Incident Response Drills. My colleagues whose phones might ring in the middle of the night
live near airline hubs so they can quickly reach the scene of the crime.
But triggering a well-rehearsed sequence is far preferable to telegraph
preparedness and save money. Aside from calling your insurance agent,
breach notifications are required under state and some federal laws.
A
material incident may be reportable on form 8-K. Have a system for figuring
out what happened, how long that process takes, what customers, products
or services were impacted, the extent to which it could have been
avoided and how to tamp down continuing vulnerabilities. It’s admittedly no
fun.
Responding to a significant breach is stressful, but is easier to handle
well when there is a plan in place that has been tested, incorporates years of
experience and lessons learned from hundreds of others’ breaches, and has been
agreed upon by stakeholders. Taking simple steps now makes it easier and more
likely that the organization will respond well when a breach happens.
8.
Get Insurance. It’s less
about whether to have coverage for cyber liability, which is usually excluded
from general commercial policies. Rather, what protection is worthwhile?
Incident response coverage is typical. What about the expense of
offering credit monitoring to individuals? Is corporate information
covered? Business interruption is often overlooked.
Does the
policy include events and claims anywhere in the world? Are there
exclusions for rogue employees or failure to abide by policies? Have
likely defense costs and penalties been factored in? Having said all of
this, the best “insurance” is every measure taken aside from purchasing
the policy itself!
9.
Do it Yourself vs. Due Diligence Hell. Too many cutting-edge companies finally entertaining suitors or
financing end up facing the unpleasant reality that they didn’t exactly have
their cybersecurity ducks in a row. Showing that you’re on top of cybersecurity
should help preempt overbearing diligence and the most cumbersome reps and
warranties that a buyer might try to demand.
The review will start with
public information like well-articulated risk factors in ’34 Act
filings which, by implication, may signal a nuanced approach to
cybersecurity. Closer examination will cover the ‘all of the above’
category (please see points 1 – 8!). And
have your latest risk assessment ready because the other
side is surely bringing its own privacy and security specialists — and may use
a forensic expert if warranted.
10. Get the *Real* Checklist. Of course this isn’t it. New laws are continually being enacted
(like the Cybersecurity Act of
2015 and Europe’s recently unveiled General Data
Protection Regulation). Part of showing that an
organization has not acted negligently with respect to cybersecurity is proving
that its conduct is reasonable, which requires coordinating efforts across
functions, and reviewing practices and coverage regularly.
No comments:
Post a Comment