[BreachExchange] Avoiding Legal Landmines in Data Breach Response

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 4 19:59:44 EDT 2016


http://www.darkreading.com/vulnerabilities---threats/avoiding-legal-landmines-in-data-breach-response/a/d-id/1324962

Lawyers and information security professionals have something very
fundamental in common: We see risk everywhere we look.

As someone who began his career as an attorney but has gradually
transitioned into information security, I have hung around long enough now
to see the two disciplines gradually converge. Cybersecurity and the law
are colliding all around us—sometimes violently, but increasingly in a more
productive and mutually beneficial way. I have been an advisor to lawyers
and security professionals alike, helping each understand the perspective
and preoccupations of the other. Each discipline needs the other, and
nowhere is that more apparent than in the area of data breach response.

Companies who suffer a security breach that exposes sensitive information
can now expect to be abruptly thrust into one legal process or another.
Whether that process takes the form of a regulatory inquiry, a class-action
suit or a contractual dispute, counsel’s role in helping respond to what
was long considered “an IT issue” is more critical than ever before. For
this reason, proactive cybersecurity professionals have begun seeking
guidance from the legal department before an incident forces them together.

But where to start?

I recommend that legal and cybersecurity professionals focus their initial
collaborative efforts on achieving defensibility. From a legal perspective,
a defensible security program is one that will withstand post-breach
scrutiny and be deemed “reasonable” under the microscope of hindsight.
Developing a defensible cybersecurity risk program involves working
backwards from the moment of breach impact to look at all the steps along
the way that could have been taken to prevent or mitigate the damage from a
breach event.

Why do I suggest this as a starting point? Because scrutiny of the steps
taken – or not taken – to forestall a cybersecurity incident will
undoubtedly come once you have suffered an incident. It’s far better to
have taken a look in the mirror before you present yourself to the world.
Despite the fact that your program will, by definition, have “failed” by
the time the scrutiny commences, it is still possible to demonstrate your
diligence in limiting exposure and containing the damage.

So how can you ensure your diligence is reasonably defensible?

Lawyers will rightly point to the concept of precedence. Courts are nearly
always influenced—and in some cases bound—by similar cases and judicial
reasoning that have come before. While there are not many judicial opinions
at this stage that provide concrete parameters around what constitutes a
defensible cybersecurity program, there are several potential sources of
guidance.

A good starting point is to identify the regulators most relevant to your
business. If you are in the financial services sector, then the Securities
and Exchange Commission (SEC), the Federal Reserve Board (FRB) and the
Consumer Financial Protection Bureau (CFPB) will likely be on your list. If
you are in the retail or hospitality sector, you should pay close attention
to the Federal Trade Commission (FTC) as well as state-level consumer
protection law enforcers. Once you’ve compiled your list of regulators, do
some research to identify what they have been doing – and saying – about
cybersecurity. In addition to looking at the regulations themselves and
formal filings by the agencies, you will also find speeches, position
papers and bulletins that can help clarify what regulators find most
important when it comes to cybersecurity risk management. If you are a
security professional blanching at the thought of this exercise, here’s a
hint: Most lawyers love a task like this, and are actually quite good at
it. But they’ll undoubtedly need your help in interpreting what they find
and understanding its implications.

It is important to note that this is not a compliance exercise.

Attaining a defensible security posture goes beyond merely being able to
pass an audit. Indeed, much of the “guidance” out there will not present
hard-and-fast rules. Logic and judgment are required for you to settle on a
defensible standard. Security pros will need to help their legal colleagues
understand the reality that aggressive security measures tend to undermine
convenience and practicality. A good example is encryption, which can be
very effective in protecting sensitive data and  meeting regulatory and
judicial guidelines. But any IT professional will tell you that encryption
technology is expensive and implementation can create operational delays
and challenges that render it unfeasible. For instance, encrypting data at
rest in a high-capacity data processing environment can grind processing
operations to a halt. Finding the right balance between security and
practicality is what achieving defensibility is all about.

Security and legal professionals have a lot more in common than you might
think. Avoiding the many hidden traps and obstacles in building a
cybersecurity program requires openness to collaboration and real
creativity. Bringing together legal and cybersecurity practitioners is the
surest path to achieving a defensible cybersecurity program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160404/930e8410/attachment.html>


More information about the BreachExchange mailing list