No Cybersecurity Crying in ’16

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.natlawreview.com/article/no-cybersecurity-crying-16

Cyber liability may have been an exotic notion as recently as a couple of
years ago. But today, even after notorious breaches, some organizations
still don’t appreciate that leaving firewalls and other technology-based
precautions to the “IT Guys” won’t cut it. Effective management of a data
security incident benefits from adequately addressing risks at all levels
in advance. To this end, I humbly propose 10 New Year’s Resolutions and
questions to get conversant on high-level issues (with the normal
disclaimer that they are for informational purposes only without legal
advice or opinions):

1. Know the Data.  If you take comfort that you’re not a government
contractor with details about troop deployment on un-encrypted laptops or a
healthcare company with patient information in the Cloud, or if you’ve
relegated “PCI Compliance” to something rote, take notice. Any non-profit,
low-tech or other company has likely saved, among the more obvious,
benefits information, background check results, payment data, emails, lists
of job applicants, vendors, customers, and other non-public personally
identifiable information.  For a laundry list, check out the risk factors
in any 10-K or offering memorandum.

2. Map the Data. On what servers and in which data centers does it sit?
How is it routed? Is the company relying on the now-invalidated safe harbor
for transfer from the EU to the U.S.? Who is supposed to have access?
Through which systems? It’s the atypical circumstances that few remember.
For instance, does an auditor transmit information out of the country in
violation of local rules? Or, when are vendors brought inside the firewall?
What about a deal discussion and due diligence?

3. Go on a Data Diet. Be judicious in maintaining online stores of former
customers or decades-old records. Aside from reputational damage, a
company’s breach liability is in part a function of each individual whose
information is improperly disclosed. Think notice to those impacted,
identity restoration and credit monitoring, and other remedies. A recent
settlement enabled millions of individuals each to claim up to $10,000 in
costs. So why not minimize the universe of discourse?

4. Own the Privacy Policy. Simply posting a form isn’t enough. Treat it as
a live document. For starters, express informed consent about how data may
be used is a standard that varies across jurisdictions. And can an
individual really “rest assured that personal information will never be
shared with a third party,” as the conventional text goes? Companies must
contemplate and account for Cloud storage and computing, cross-border
transfer, M&A, and even a sale of its own assets in bankruptcy. The FTC has
actually required new affirmative opt-in by each affected individual once a
proposed transaction would “sell” information in violation of a company’s
own privacy policy (and regardless of whether that policy would otherwise
have allowed unilateral modification).

5. Train Everyone. The biggest defense force is the population using a
company’s systems day in, day out. Deputize them to be on the lookout.
Maintain sensitivities to old reliable precautions–strong, protected
passwords, anti-virus software for home computers used remotely,
confidential document handling, and locked work stations and devices.
Messages tend to stick when people learn something interesting or even
complicated. Teach about spear-phishing, trojans, and the rest of hacker
alphabet soup. Demonstrate manifestations of malware. Quiz about incident
escalation practices. Certify employees and vendors regularly and keep them
abreast of changes.

6. Test Systems. Compliance with good practices is not static. Just as
company technologists should run regular penetration tests to find back
doors, it’s critical to administer a cybersecurity regime that tracks
overall Company efforts. In the context of broker-dealers, which hold
sensitive customer information, the SEC recently recognized the importance
of written information security policies, along with periodic audits and
risk assessments. Such continuing attention better equips a company to
overcome weaknesses and enables officers and directors to provide
oversight. It also lays the groundwork to dispatch lawsuits and government
investigations handily.

7. Conduct Incident Response Drills.  My colleagues whose phones might ring
in the middle of the night live near airline hubs so they can quickly reach
the scene of the crime. But triggering a well-rehearsed sequence is far
preferable to telegraph preparedness and saves money. Aside from calling
your insurance agent, breach notifications are required under state and
some federal laws. A material incident may be reportable on form 8-K. Have
a system for figuring out what happened, how long that process takes, what
customers, products or services were impacted, the extent to which it could
have been avoided, and how to tamp down continuing vulnerabilities. It’s
admittedly no fun. Responding to a significant breach is stressful, but is
easier to handle well when there is a plan in place that has been tested,
incorporates years of experience and lessons learned from hundreds of
others’ breaches, and has been agreed upon by stakeholders. Taking simple
steps now makes it easier and more likely that the organization will
respond well when a breach happens.

8. Get Insurance. It’s less about whether to have coverage for cyber
liability, which is usually excluded from general commercial policies.
Rather, what protection is worthwhile? Incident response coverage is
typical. What about the expense of offering credit monitoring to
individuals? Is corporate information covered?  Business interruption is
often overlooked. Does the policy include events and claims anywhere in the
world? Are there exclusions for rogue employees or failure to abide by
policies? Have likely defense costs and penalties been factored in? Having
said all of this, the best “insurance” is every measure taken aside from
purchasing the policy itself!

9. Do it Yourself vs. Due Diligence Hell. Too many cutting-edge companies
finally entertaining suitors or financing end up facing the unpleasant
reality that they didn’t exactly have their cybersecurity ducks in a row.
Showing that you’re on top of cybersecurity should help preempt overbearing
diligence and the most cumbersome reps and warranties that a buyer might
try to demand. The review will start with public information like
well-articulated risk factors in ’34 Act filings which, by implication, may
signal a nuanced approach to cybersecurity. Closer examination will cover
the ‘all of the above’ category (please see points 1 – 8!). And have your
latest risk assessment ready because the other side is surely bringing its
own privacy and security specialists — and may use a forensic expert if
warranted.

10. Get the *Real* Checklist. Of course this isn’t it. New laws are
continually being enacted (like the Cybersecurity Act of 2015 and Europe’s
recently unveiled General Data Protection Regulation). Part of showing that
an organization has not acted negligently with respect to cybersecurity is
proving that its conduct is reasonable, which requires coordinating efforts
across functions, and reviewing practices and coverage regularly.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.