[BreachExchange] 6 Ways to Help Clients Avoid a Data Breach
Inga Goddijn
inga at riskbasedsecurity.com
Sun Jul 3 17:33:48 EDT 2016
http://www.jdsupra.com/legalnews/6-ways-to-help-clients-avoid-a-data-59706/
It is not “if” but “when” your client will be the victim of a data breach.
But despite the growing risks and many high-profile breaches, there are
still businesses that are woefully underprepared. Here’s how you can help
your clients mitigate risk associated with data breaches well before an
incident occurs.
California law requires businesses to “implement and maintain reasonable
security procedures and practices appropriate to the nature of the
information, to protect personal information from unauthorized access,
destruction, use, modification, or disclosure.” CC §1798.81.5(b).
Here’s what you can do to help your clients meet these requirements and
avoid a dreaded data breach:
1. *Advise directors and executives on cybersecurity oversight.* You can
help directors and executives understand how to comply with their fiduciary
responsibilities in the realm of cybersecurity. Advise the board and
executives on the evaluation, selection, and implementation of appropriate
cybersecurity oversight mechanisms, review any existing cybersecurity
oversight mechanisms, analyze the gap between current policies and best
practices, and help them establish other mechanisms to develop a
comprehensive enterprise risk-management program.
2. *Set up annual security and privacy training programs.* Although
organizational preparation for a data breach may start at the top with
management oversight, adequate preparation for a breach requires a holistic
view that should also involve bottom-up efforts to train personnel and
instill a culture of security at the organization. People, not technology,
remain one of the most commonly exploited cyber vulnerabilities.
3. *Identify data risks.* Because an organization’s data passes through
many hands, you need to understand the organization’s assets and data,
including the location of sensitive data, its transmission routes and
destinations, the risks to which the data is subject, and the controls
required to protect data as it flows within and outside of the organization.
4. *Conduct due diligence review of vendors.* Before contracting, make
sure that your client understands a vendor’s cybersecurity practices;
review the vendor’s data security-related policies, procedures, and other
controls, and help your client evaluate whether the vendor’s policies and
procedures are consistent with the client’s requirements.
5. *Develop and test an incident response plan.* Hold a dry-run exercise
by selecting a hypothetical scenario to run through with all key players in
the data breach response, including the internal incident response team and
third parties such as outside privacy counsel and forensic specialist
firms. Document the response plan and maintain a roster of participants in
the exercise. Review the plan annually and update it as necessary.
6. *Review client’s cyber insurance.* Cyber insurance plays a key role
in an organization’s overall strategy to mitigate risks related to data
incidents. Traditional insurance policies have come to include limitations
and exclusions to coverage that may preclude recovery in the event of a
data incident. Identify coverage gaps that may be important to address
given the nature of your client’s business.
This expert advice is from *Once More Unto the Breach: How Counsel Should
Help Clients Prepare for and Respond to Data Incidents* by Sharon R. Klein
and Alex C. Nisenbaum in the Spring 2016 issue of CEB’s California Business
Law Practitioner
<http://www.ceb.com/CEBSite/product.asp?catalog_name=CEB&menu_category=Bookstore&main_category=Reporters&product_id=BU90100&Page=1&utm_source=sm&utm_medium=bl&utm_content=lp&utm_campaign=BU90100>.
The article includes much more on an organization’s legal responsibilities
with respect to cyber risk, how legal counsel can better prepare clients to
mitigate risks before and during a data incident, and the legal obligations
and issues that counsel must address with a client in navigating a data
breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160703/8deae1fa/attachment.html>
More information about the BreachExchange
mailing list