[BreachExchange] Cyber security is everybody’s business

[Audrey McNeil]

http://www.advocatedaily.com/peter-murphy-cyber-security-
is-everybodys-business.html

Business leaders may fail to uphold their legal responsibilities if they
don't take reasonable steps to prepare their companies for cyberattacks and
information security breaches, says Toronto technology and business lawyer
Peter Murphy, who has acted as counsel on some of Canada’s most notorious
privacy breaches.

The impact can be as debilitating to an organization as a major product
liability lawsuit, he tells AdvocateDaily.com.

Given the importance of data in business today, "we have reached the point
where the failure to take reasonable steps to protect information in the
possession or control of the organization may be a breach of the fiduciary
duties owed by senior officers and board of directors of the organization,"
Murphy points out.

He advises firms to craft and implement policies and procedures around
information protection and security incident response, as the risk of a
data breach is “huge.”

"Businesses must take prudent steps to protect against loss or unauthorized
use of data — and even then, they won’t be able to completely eliminate the
risk of an incident. Hackers and the tools available to them are too
sophisticated. So the question is not so much if a cyber breach will occur,
but when.

"If a data security incident does occur, will the board and management be
seen to have acted responsibly? When they respond to the incident, will
they follow best management practices and comply with all legal
obligations?” says Murphy, a partner with Shibley Righton LLP.

Privacy law in Canada requires companies to use physical, technical and
administrative safeguards to protect the personal information they hold.
That includes having locked doors and cabinets and controlled physical
entry, while technical protections involve passwords and encryption, Murphy
explains.

Administrative safeguards are the broadest category, and may involve
tracking of data access, user background checks and other controls, as well
as the implementation of security policies, plans and protocols, he adds.

"Many smaller or medium-sized organizations might be reluctant to prepare
data protection and incident response policies and plans because of the
time and effort required, but this exercise should not pose a material
drain on resources if it is incorporated into the organization’s strategic
and overall governance planning," Murphy says.

He says the responsibility to develop policies begins with the board of
directors and top management, but that staff at all levels throughout the
organization should be involved in cybersecurity planning.

"It's a common mistake for organizations to think that data protection is
just an IT problem," Murphy stresses. "All staff need to have input and
bear responsibility to comply with the resulting policies.

"The assistance of experienced legal counsel is highly recommended to
ensure the policies reflect the organization’s obligations and, if
implemented, will place it in an advantageous legal position.”

Murphy suggests firms start by identifying the information they possess and
ranking it in value and importance.

“Then they should assess their vulnerabilities. From there, a data security
policy can be created to ensure the necessary safeguards are applied,” he
says.

Recording the cyber trails of staff who use the system is a useful
precaution, Murphy points out.

“Even more important is exercising control over information access by
former employees and contractors. Many incidents I see involve a former
employee or independent contractor whose password was never turned off,” he
says.

Once a data security policy has been created, the organization should
prepare a data breach response policy, so it has a clear and effective
response plan available to implement in the event an incident occurs,
Murphy adds.

“This plan will cover breach identification and immediate IT response,
creation of a management response team, breach investigation, notification,
public relations, involvement of law enforcement authorities where
appropriate, the offering of data theft services, and steps to ensure the
breach never happens again.

"Legal counsel should be involved to ensure the plan reflects the
organization’s privacy breach-reporting obligations and places the
organization in the best possible position when responding to a data
breach,” he says.

Murphy points out there has been phenomenal growth in class-action lawsuits
against companies that experienced cyber breaches in recent years.

“The involvement of legal counsel early in the process can help the
organization prepare for resulting litigation. A lawyer is best positioned
to manage its relationship with privacy authorities and to ensure its
disclosure obligations are followed.

“In addition, having a lawyer conduct breach-investigation interviews with
staff may invoke legal privilege for those discussions. If the organization
is sued for a privacy breach, that protection may be crucial,” he says.

Institutions that take action to mitigate harm to clients — such as
providing identity theft services for those affected — could reduce the
damages awarded against them, Murphy says.

“In a number of cases, courts have viewed the offering of identity theft
services as a very important step," he says.

Organizations should also consider adding cyber-insurance to their
risk-mitigation strategies, Murphy says.

Finally, he warns that organizations should not think this exercise ends
when the policies and plans are completed.

“A policy is worthless if not properly implemented. That involves staff
training, compliance assessment and regular policy review. Cyber security
is a new aspect of management that must be attended to regularly. These
issues are not going away anytime soon,” Murphy says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170217/8af56aae/attachment.html>