[BreachExchange] The Best Defense: If You’re Worried About Cybersecurity, Call an Attorney

[Audrey McNeil]

https://utahbusiness.com/best-defense-youre-worried-
cybersecurity-call-attorney/


Each year brings a data breach that affects more and more people; each
breach also brings larger fines for companies who failed to protect
information. Companies have tried to address cybersecurity risks with
varying results. Meanwhile, the $120 billion cybersecurity industry pushes
an array of products to address cybersecurity risks both real and imagined.
Instead of purchasing gizmos, executive leadership should rely on legal
counsel to help define their legal risks and draft policies and procedures
to minimize those risks.

Regulatory environment

At first glance, it may seem odd to solve cybersecurity problems with
lawyers, but regulators don’t care if a company spends thousands of dollars
on cutting-edge cybersecurity technology. Regulators analyze whether the
circumstances leading to a data breach violate state, national or
international law. Accordingly, cybersecurity is a legal problem that stems
from a fiduciary duty of care; numerous state, national and international
laws; and contractual obligations.

Executives and board members owe a fiduciary duty of care to the companies
they serve. Failing to carry out those duties can impose personal—and
potentially uninsurable—lawsuits. Under the duty of care, executives and
board members must act on an informed basis, in good faith and in the
honest belief that their actions are in their company’s best interests.
Executives and board members cannot ignore cybersecurity problems; instead,
they must act reasonably so they can protect shareholders’ interests.

State, national, and international laws increasingly regulate how companies
process information. On the state level, 48 states have data breach
notification laws. Most of those laws simply explain how to notify
individuals affected by a data breach while others go further. Utah, for
example, requires “any person who conducts business in the state … [to]
implement and maintain reasonable procedures to: prevent unlawful use or
disclosure of personal information … ” In other words, operating without
appropriate policies and procedures runs the risk of violating the law.

In the federal regulatory environment, organizations who work in industries
such as health care, banking, insurance, finance, education and
telecommunications face a plethora of cybersecurity obligations. For
example, in the health care environment, federal law requires health care
entities to implement specific privacy and security policies. Failing to do
so can incur millions in fines, consumer anger and months of audits with
disruptive regulators.

Internationally, most countries enforce strict privacy and security laws.
Where the United States regulates privacy by sector, most countries outside
the United States regulate privacy and security comprehensively.
Accordingly, most countries illegalize the international transfer of
information without following certain processes; require a legal basis to
process consumer information; and impose steep fines for failing to comply.
For example, in 2018, the European Union can fine companies the greater of
€20,000,000 or 4 percent of international revenues.

Another source of legal risk comes from contractual obligations which
require compliance with privacy and security laws. For example, contracts
may require business partners to comply with HIPAA, the Gramm Leach Bliley
Act, the Communications Act, or privacy and security laws in general.

Creating a policy

Once executives and board members understand their privacy and security
obligations, their legal counsel should draft applicable policies and
procedures. At minimum, the policies should explain how the company governs
privacy and security matters; the physical, technological and
administrative security measures to prevent data breaches; and the incident
response process.

With regard to governance, a designated executive should provide regular
reports to the board about security assessment results, progress on
addressing security matters, audits of the security system, privacy and
security awareness campaigns, and data breach incidents. Executives and
board members should have an opportunity to review these items, recommend
solutions and communicate regular privacy directives to employees.

In line with the duty of care, executives and board members must reasonably
address privacy and security issues raised during these meetings. If
executives and board members fail to hold these meetings, they may breach
their fiduciary obligations to the company.

Policies must set the company’s security framework for physical and
technological security. There are numerous security frameworks to choose
from but the most common are ISO’s 27001 standard, NIST Cybersecurity
Framework and the Center for Internet Security’s 20 Critical Controls. Of
these standards, the Center for Internet Security’s 20 Critical Controls
are the most approachable. They’re free, available online and provide a
reasonable level of protection without breaking the budget.

Finally, policies should flesh out an incident response process. Without
it, companies can waste thousands of dollars without properly addressing
incidents. The incident response process should designate an incident
response coordinator who fills out an incident report, reports the incident
to executives and works with various departments to resolve the incident.
Critically, the process should incorporate legal counsel who can protect
matters discussed during the incident with the attorney-client privilege.

No company wants to lose their customers’ information. No company wants to
pay a fine or lose business because of a data breach. Instead of buying
gadgets to solve obscure cybersecurity problems, companies should engage
legal counsel who can define the legal problem and draft policies and
procedures to minimize risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180306/4afd806b/attachment.html>