[BreachExchange] 6 Ways to Help Clients Avoid a Data Breach

Inga Goddijn inga at riskbasedsecurity.com
Sun Jul 3 17:33:48 EDT 2016 

http://www.jdsupra.com/legalnews/6-ways-to-help-clients-avoid-a-data-59706/

It is not “if” but “when” your client will be the victim of a data breach.
But despite the growing risks and many high-profile breaches, there are
still businesses that are woefully underprepared. Here’s how you can help
your clients mitigate risk associated with data breaches well before an
incident occurs.

California law requires businesses to “implement and maintain reasonable
security procedures and practices appropriate to the nature of the
information, to protect personal information from unauthorized access,
destruction, use, modification, or disclosure.” CC §1798.81.5(b).

Here’s what you can do to help your clients meet these requirements and
avoid a dreaded data breach:

   1. *Advise directors and executives on cybersecurity oversight.* You can
   help directors and executives understand how to comply with their fiduciary
   responsibilities in the realm of cybersecurity. Advise the board and
   executives on the evaluation, selection, and implementation of appropriate
   cybersecurity oversight mechanisms, review any existing cybersecurity
   oversight mechanisms, analyze the gap between current policies and best
   practices, and help them establish other mechanisms to develop a
   comprehensive enterprise risk-management program.
   2. *Set up annual security and privacy training programs.* Although
   organizational preparation for a data breach may start at the top with
   management oversight, adequate preparation for a breach requires a holistic
   view that should also involve bottom-up efforts to train personnel and
   instill a culture of security at the organization. People, not technology,
   remain one of the most commonly exploited cyber vulnerabilities.
   3. *Identify data risks.* Because an organization’s data passes through
   many hands, you need to understand the organization’s assets and data,
   including the location of sensitive data, its transmission routes and
   destinations, the risks to which the data is subject, and the controls
   required to protect data as it flows within and outside of the organization.
   4. *Conduct due diligence review of vendors.* Before contracting, make
   sure that your client understands a vendor’s cybersecurity practices;
   review the vendor’s data security-related policies, procedures, and other
   controls, and help your client evaluate whether the vendor’s policies and
   procedures are consistent with the client’s requirements.
   5. *Develop and test an incident response plan.* Hold a dry-run exercise
   by selecting a hypothetical scenario to run through with all key players in
   the data breach response, including the internal incident response team and
   third parties such as outside privacy counsel and forensic specialist
   firms. Document the response plan and maintain a roster of participants in
   the exercise. Review the plan annually and update it as necessary.
   6. *Review client’s cyber insurance.* Cyber insurance plays a key role
   in an organization’s overall strategy to mitigate risks related to data
   incidents. Traditional insurance policies have come to include limitations
   and exclusions to coverage that may preclude recovery in the event of a
   data incident. Identify coverage gaps that may be important to address
   given the nature of your client’s business.

This expert advice is from *Once More Unto the Breach: How Counsel Should
Help Clients Prepare for and Respond to Data Incidents* by Sharon R. Klein
and Alex C. Nisenbaum in the Spring 2016 issue of CEB’s California Business
Law Practitioner
<http://www.ceb.com/CEBSite/product.asp?catalog_name=CEB&menu_category=Bookstore&main_category=Reporters&product_id=BU90100&Page=1&utm_source=sm&utm_medium=bl&utm_content=lp&utm_campaign=BU90100>.
The article includes much more on an organization’s legal responsibilities
with respect to cyber risk, how legal counsel can better prepare clients to
mitigate risks before and during a data incident, and the legal obligations
and issues that counsel must address with a client in navigating a data
breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160703/8deae1fa/attachment.html>

More information about the BreachExchange mailing list