Top 3 data privacy, security issues in-house counsel should focus on in 2015

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://wislawjournal.com/2015/03/19/top-3-data-privacy-security-issues-in-house-counsel-should-focus-on-in-2015/

Recent cyber attacks have caused companies to focus on privacy and security
issues more than ever before.

With the attack on Sony in December 2014 and the unprecedented breach
involving health plan information of Anthem Blue Cross Blue Shield in early
2015, companies have recognized that cyber hacks are a real threat. Today,
the question is not “if,” but rather, “when” your company or one of your
vendors will get hacked. The new landscape is forcing in-house counsel to
prepare for this inevitability and the following three steps are good
places to start.

Implement a cybersecurity program and know your insurance coverage

In-house counsel and board members must be prepared to implement a
risk-based cybersecurity program, while also understanding the limits of
their company’s insurance coverage. How should a company determine where to
start? A good approach is to review existing federal guidance — both
mandatory requirements and voluntary “best practices.”

On February 12, 2013, President Obama issued Executive Order 13636,
“Improving Critical Infrastructure Cybersecurity” which mandated that
several federal agencies recommend ways to improve critical infrastructure
cybersecurity. The National Institute of Standards and Technology (NIST),
in concert with stakeholders across industries, compiled industry standards
and best practices on managing risk in “critical infrastructure sectors,”
such as financial services, communications, and the energy provider
industry. The final result, published February 12, 2014, is a voluntary
framework providing guidance on how to create and implement a cybersecurity
program.

While the federal government has declined to offer incentives for adoption
of its framework, and has not mandated participation by private companies,
the framework is quickly becoming the standard used when developing a
cybersecurity program. Specific industries like the Federal Financial
Institutions Examination Council and the U.S. Food and Drug Administration
also have issued guidance on developing cybersecurity programs.

Prudent in-house counsel should advise the company’s board of directors and
officers about their obligations to oversee and manage cyber risks. This is
essential because in 2014 Target and Wyndham shareholders brought
derivative lawsuits against individual directors and officers of the
companies for breaching their fiduciary duty to protect the personal
information of employees and customers.

The first decision in the matter involving Wyndham was favorable to the
company. The court dismissed the shareholder derivative action, noting that
the board had actively considered data security matters at fourteen board
meetings held over several years. This holding doesn’t solve the issue,
however, because the Wyndham decision has been appealed and the derivative
action against Target is still pending.

Another way to manage risk is to insure against cyber attacks. Insurance
companies have begun to exclude cyber liability from commercial general
liability insurance coverage. Instead, insurers offer separate cyber
liability policies that cover first-party losses when a breach occurs, such
as hiring legal counsel and a cybersecurity forensic firm and paying for
notification costs. In-house attorneys should discuss with their insurance
colleagues whether such exclusions could apply and, if so, weigh the
possible risks of such exclusions.

Know big data and the Internet of things

In-house counsel must become familiar with two new terms that do not have
precise legal definitions yet: “Big Data” and the “Internet of Things.”
“Big Data” has many definitions, but as summarized by the federal
government in documents, it generally reflects the growing technological
ability to capture, aggregate, and process an ever-greater volume,
velocity, and variety of data.

Similarly, the “Internet of Things” (IoT) is a term used by the government
and others to describe the ability of devices to communicate with each
other using embedded sensors that are linked through wired and wireless
networks. These connected devices use the Internet to transmit, compile,
and analyze data. The devices can be consumer-focused (such as connected
televisions or refrigerators) or business-focused (such as office printers,
which can automatically order ink refills when supplies run low). Big Data
initiatives and the IoT are driving the increased use and value of data,
and the associated cybersecurity risks to the companies that hold it.

In May 2014, the White House issued the results of its comprehensive review
of Big Data. In September, the White House announced new government
initiatives, which included using Big Data in law enforcement and health
care to advance best practices and research, while safeguarding personal
privacy. The Federal Trade Commission followed up with its January 2015
“Internet of Things: Privacy & Security in a Connected World” report that
outlines three “best practices” for companies that gather consumer
information as part of the IoT. In-house counsel who work at companies
which gather this information should review the FTC report, then compare
its recommendations (which involve “data security,” “data minimization,”
and “notice and choice”) with how the company is current using (or planning
to use) such information.

Implement privacy and security policies and procedures — and follow them

In-house counsel should ensure privacy and security policies and
procedures, including a security incident response plan, are implemented
and followed. These policies and procedures will shape the company’s data
privacy and security practices and guide the company in the event of a data
breach.

There is no single federal law governing data security or data breaches,
yet. Instead, in the United States, data security is regulated by a
patchwork of entities and laws, such as Section 5 of the Federal Trade
Commission Act, the Gramm-Leach-Bliley Act, the Health Insurance
Portability and Accountability Act of 1996, and state law.

In January 2015, Obama proposed the Personal Data Notification & Protection
Act. The act would create a single federal data breach law and preempt most
state data breach notification laws. There is some bipartisan support in
Congress (and among businesses) for a single, uniform federal law on data
breach notifications. But, it is unclear if such a bill will actually
become law.

As the sophistication and prevalence of cyber attacks grow, in-house
counsel must stay abreast of current law and industry guidance to be
prepared to defend its company’s privacy and security practices against
government actions and litigation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!