[BreachExchange] Data Privacy or Cybersecurity: Which Is More Important?

Destry Winant destry at riskbasedsecurity.com
Wed Oct 17 01:06:10 EDT 2018


To any good lawyer, the answer is ‘both’ are important.  However, most
in-house counsel know the answer is which receives the limited
available budget.  Compliance budgets usually follow the greatest
risks for the company.  Therefore, in Europe, where the EU’s General
Data Protection Regulation is the scariest new compliance issue, it
stands to reason that data privacy will take a larger portion of the
budget than cybersecurity.  However, in the US, where the penalties
for poor cybersecurity can be huge (from governmental penalties, to
class action and shareholder derivative lawsuits), I believe it is
generally the opposite.

What about much of the rest of the world, where the penalties for loss
of personal data or for a cyber breach are insubstantial to
non-existent?  In many such places, I have seen a much lower budget
allotment to either issue.  Indeed, across Asia, some of the very
largest companies do not even have an Information Security Officer, or
someone else designated as responsible for keeping data, personal or
otherwise, protected.  Where there is little investment, it follows
that there is little awareness of what is actually happening to the
data that a company holds.

This is particularly the case where hackers use Advanced Persistent
Threats, which are data breaches designed to penetrate and hide within
a corporate network, siphoning off information over a long period.
Cybersecurity expert Mandiant released a report in 2015 indicating the
global median time from when a hacker has entered a network and the
time when the company is aware of the hack, is 205 days.  In Asia,
this time between hack and awareness of the hack occurring is 520
days.  With this state of affairs, some technologically advanced
companies in Asia are particularly at risk for losing their hi-tech
advantage or trade secrets by hackers (or governments) that want to
catch up quickly.

I often encourage companies to think about the issue from a broader
trade secret perspective.  Think of all the data you want to protect
(from employee lists to marketing plans, from intellectual property to
acquisition strategy, from customer personal data to big data
analysis), and then take steps to protect it.  We all may not be in
jurisdictions that equally punish the loss of personal data, but all
companies want to protect their competitive advantage from their
competitors.  It is especially important to do this analysis in
advance, as most countries require companies to show they took
reasonable steps to protect their trade secrets in order to be able to
make a claim under the law.  In my experience, corporate secrets are
items that company management will likely be willing to fund to
protect, if they are aware that they are at risk.

No matter what drives the decision to fund, the steps to any good data
protection or cybersecurity program are essentially the same:

- Map out what data you have or intend to collect;

- Determine what laws apply to that data;

- Identify what security you have in place to protect it;

- Prepare a gap analysis of what needs to be addressed;

- Take steps to bridge those gaps;

- Test to ensure compliance.

It is especially important to identify what laws apply to the data you
have, as increasingly, data privacy and cybersecurity laws are going
cross-borders to govern what you do with your data wherever it may
sit.  This fundamental shift makes a more-inclusive global legal
analysis essential.  The law that apply in the EU, the US, China and
Japan all have different standards and important points to follow.
For example, the definition of what is a data breach and when you have
to notify individuals and/or the authorities varies significantly.  In
the US, a notifiable data breach often requires acquisition of the
data (i.e. proof of removal).  In the EU, mere access to the data
constitutes a notifiable breach within 72 hours of awareness of the
breach, in most instances.  In China, simply discovering security
flaws and vulnerabilities in your network products and services
requires notification to the government and network users.  In Japan,
you are only required to ‘”make an effort” to notify in the event of a
breach.  Many other countries have in effect, or are now passing, laws
governing data breach notifications.

Companies need to plan now for what laws would affect them in the
event of a data breach.  Data breach issues can be quite traumatic for
companies to deal with, in and of themselves.  If you are also trying
to sort through, for the first time, what laws apply to the data
involved, it is easy to make costly and fineable mistakes.  You can
include a synopsis of these laws in your Incident Response Plan, which
is your guide as to how to handle data breach situations.

Once an incident response plan is in place, it is important for
organizations to undertake data breach drills (aka tabletop exercises)
in order to properly prepare.  I had an experience in my corporate
days, where a data breach occurred and we quickly assembled our
Incident Response Team.  The IT manager first proudly announced that
the servers were up and running after only a few hours of down time.
I asked for the servers so that we could study them for what happened.
The IT manager indicated that they had wiped the servers in order to
load the data more quickly.  His solution was great from an IT
perspective, but not so great from an evidentiary perspective.
Therefore, it is important to test your Incident Response Plan in
order to see if you are truly ready.

In the end, does it really matter which, data privacy or
cybersecurity, is most important? Aren’t data privacy and
cybersecurity just two different sides of the same coin: Poor data
privacy leads to poor cybersecurity, and vice versa?   The answer is
yes.  To prevent this, companies must start the process of identifying
and protecting your data, whether it be personal information or
corporate secrets.  Then, continue down that path, expanding the
process until you have considered all of the risks that could
negatively affect your company.

More information about the BreachExchange mailing list