Melodi (Mel) Gates,
Thomson Reuters
Practical Law,
Legaltech News
Most breaches are preventable and can be contained and the risks minimized by following well-known best practices
If you are part
of an organization and think you don't have a privacy and data security issue,
think again. Privacy and data security are quickly becoming some of the
fastest growing areas of regulation in the U.S., and any organization that uses
information technology (IT) or stores personal information for its employees or
customers is at risk of a data breach.
Risk management and compliance can be especially
challenging given today's overlapping and sometimes contradictory common law
principles, federal laws and regulations, agency guidelines, state laws and
regulations, international obligations, industry standards, and other general
and sector-specific requirements. This patchwork system, together with
cross-border data flow challenges and increasingly creative hackers, heightens
the risk of privacy violations and means that attorneys and privacy
professionals must remain vigilant at all times.
Because they depend on potentially vulnerable IT
resources, the question for most companies is not if they will
suffer a data security breach or other event, but when. That's the
bad news. The good news is that most breaches are preventable, and even if they
do occur, can be contained and the risks minimized by following well-known best
practices. Here are nine tips to help you get started.
1. Recognize that it’s not just an IT
issue: Privacy and
data security are not just IT issues. They are also people issues that require
leadership attention and engagement across all organization levels. However,
making privacy and data security priorities must start at the top, so bridging
knowledge and communication gaps between executives and technical staff is
critical. Well-versed counsel and privacy professionals can play an important
role in filling these gaps and helping to identify and manage risks.
2. Develop appropriate policies and reinforce
them with regular training: Protecting an organization's information assets, such as computer and
networking hardware, software, and data, whether electronic or paper, is part
of everyone's job. Organizations should write their information security policies
for and apply them to all workforce members, including employees, contractors,
volunteers, and any others who may access or use the organization's information
assets. Policies should:
·
Establish information security as a core value;
·
Lay out clear rules for using and protecting information assets;
·
Help workforce members to understand risks and adopt a balanced view;
·
Provide a basis for training and ongoing awareness building efforts; and
·
Foster communication among workforce members and compliance groups.
Continually engage your workforce with regular
training and awareness reminders. Organizations should also provide timely
access to experts since no policy can address every issue—making it easy for
workforce members to get help prevents them from circumventing policies and
creating unnecessary risks.
3. Create and maintain data and IT asset
inventories: It’s
hard to protect something that you don’t know is there. Too many organizations
don’t have a clear picture of the data that they hold or the IT assets that
they use, let alone a means for keeping inventories up-to-date. These gaps create serious cybersecurity risks by leaving:
·
Potentially sensitive data unprotected;
·
Known vulnerabilities unresolved; and
·
Data security events undetected.
Data mapping can help ensure that stakeholders,
including legal, know what information the organization stores, where it is
located, and how it is used. Tracking IT assets, including hardware and
software versions, lowers risk by enabling comprehensive risk assessment and
vulnerability management.
4. Know your risks: Federal and state laws and regulations,
contract obligations, and industry best practices require many organizations to
perform privacy and data security risk assessments. Even diligent organizations
with sophisticated programs may experience periodic lapses in their controls.
Risk assessments identify these issues and provide an opportunity to address
them. Organizations need to regularly consider:
·
Their own unique risk profiles;
·
Their performance against applicable standards of practice;
·
Risks created by their third-party service providers or supply chain vendors;
and
·
Privacy and data security awareness and compliance across their workforce.
5. Understand and maintain sound
safeguards, including vendor oversight: Organizations should develop, implement,
and maintain administrative, physical, and technical safeguards to protect
their information assets, according to their activities and the sensitivity of
the data they hold. Counsel and privacy professionals need to understand
technology basics and ensure that reasonable measures are maintained, such as:
·
Preventive controls to avoid unauthorized activities or data access;
·
Detective controls to timely discover incidents (since preventive controls
are unlikely to be effective in all cases);
·
User authentication, authorization, and access control measures;
·
End user device controls for desktops, laptops, and mobile devices;
· Computer controls, such as anti-malware (anti-virus), configuration
management, and patching to resolve known vulnerabilities;
·
Network and connectivity controls, including firewalls and other measures
that protect remote access, wireless, internet, and business partner
connections;
·
Log management to securely collect and review computer and network activity
logs;
·
Data protection controls, including encryption and data loss prevention
software; and
·
Information handling and storage standards to protect electronic and paper
records.
Today, many (if not most) organizations use at
least some cloud computing or other vendor-supplied services that require
access to the organization's data or IT environment. Companies should engage in
ongoing oversight throughout the business relationship and require their
service providers to meet all applicable privacy and data security standards.
6. Stay vigilant: Maintaining reasonable privacy and data
security practices in today's environment of evolving laws and rapidly changing
threats requires constant vigilance. Continuous monitoring programs help
minimize risks by using automated tools that operate on an ongoing basis to:
·
Monitor security controls;
·
Identify vulnerabilities;
·
Verify hardware and software configurations; and
·
Flag suspicious user activities.
7. Expect the best, but prepare for the
worst: While many
cyber events can be prevented, organizations must be prepared if and when they
occur. Develop and regularly test a response plan that includes an
event-specific analysis of applicable law and obligations, such as data breach
notification to regulators and affected individuals. Plans should also assign
responsibilities and explain criteria for engaging law enforcement when
criminal attacks occur, including legal review.
8. Drive accountability: Assigning clear ownership for privacy and
data security programs, including regulatory compliance, drives accountability.
Organizations should adopt an approach, such as NIST's Cybersecurity Framework,
to regularly measure and report data security program effectiveness—keeping
executives informed and engaged.
9. Keep up-to-date: Privacy and data security are global
issues. Keeping up with changes in law, regulations, and best practices at
federal, state, and international levels can be challenging. Trusted resources
cut through the noise and streamline risk management and compliance
initiatives. Online legal know-how platforms like Thomson Reuters Practical Law
can help get you up-to-speed, so you can be sure that you’re doing everything
you can to protect your organization, its customers, and the data it holds.
A more detailed checklist of common gaps in
information security practices can also be found on Practical Law’s website.
Melodi (Mel) Gates is an attorney, prior CISO,
and Senior Legal Editor specializing in privacy and data security at Thomson
Reuters Practical Law. Practical Law is an online provider of legal
know-how such as checklists, how-to guides, market trend reports, annotated
model documents, and other resources designed to help lawyers work more
effectively. For more information or a free trial, visit Practical Law today.
No comments:
Post a Comment