As we gather at this time of year to express our gratitude for those people and things most important in our lives, perhaps one of the things on that list at work is that you have not suffered through a security incident or breach this past year, or ever. Indeed, this is reason to be thankful! However, when it comes to privacy and security incidents, it is not a matter of IF but WHEN. So be grateful for your good fortune, but start looking ahead to WHEN not IF. So, with that in mind and as and your team take this time to wind the year down and plan for 2018, here are some best practices to consider.
Have a plan. Any company that traffics in sensitive, regulated, or personally identifiable information should have a written incident response plan in place to enable the company to quickly and effectively respond to security incidents or breaches. Having such a plan not only helps you do all the obvious things in such an incident (stop the threat, mitigate harm, remediate failed procedures), it also helps you manage the less obvious things (PR & messaging/logistics of providing notice in possibly 48 states, not to mention regulators, evidence of due diligence against claims of negligence or other failures by the company). At Taft, we regularly counsel clients on such plans, to include developing and testing such plans through table top exercise and other assessments. Creating a plan, establishing an incident response team and testing such a plan can pay dividends for which you will be grateful for years to come.
Conduct a risk assessment. The only way to know your risk is to regularly assess your company and its information practices for weaknesses in your administrative, technical and physical safeguards. A documented risk assessment, with the potential assistance of counsel to ensure the activity is protected by applicable privileges, not only addresses the risks directly but becomes part of your due diligence story to mitigate any claims that your company “did not do enough” or “should have known” of such risks. Furthermore, some regulations, like HIPAA, require such assessments and analysis. I have yet to conduct a risk assessment for a client and found nothing that could be improved. This is the way it should be. You are never done working on privacy and security. However, a risk assessment can tell you (and others) how far you have come and how seriously you take your data governance responsibilities.
Audit your third parties. Don’t just look inward. Many companies don’t house their own data or use third parties to execute all or part of the services they offer using such data. (Cloud services, anyone?) Each third party can be an asset or a liability. The only way you know is to put agreements in place with those third parties (with information privacy and security obligations) and audit their compliance with those requirements.
Get your house in order. Any of the above assumes you already know what data you collect, where you store it and where it travels (internally and externally). Furthermore, it assumes you have policies, procedures and other controls in place to ensure the information is used in accordance with the law, your contracts and any other policy requirements you might have. A large part of our Privacy and Data Security practice involves helping clients with the basis of data governance: data classification efforts, data mapping efforts, policy and procedure development, and assessing and implementing administrative, technical and physical safeguards. You cannot protect your house until you know what in your house requires protection and where.
Train your people. The number one risk to your information security is your employee base. One of the cheapest, but most effective (and overlooked) information security investments is training your employees on your policies and procedures (if you have them), emerging threats to your company’s information, and how to respond and escalate issues involving such threats. Furthermore, having regularly-scheduled training and an awareness program that provides timely updates on emerging threats is another page in your (growing) book of due diligence. Just think. How many stories have you seen in the news where employees caused a breach by the simplest of mistakes (leaving a laptop in a coffee shop, propping open a locked office door open on a hot day, or clicking on a link in a phishing e-mail)? Your employees cannot be expected to do the right thing with company information if you do not tell them (and then tell them again) what the right thing is.
Get covered. Consider adding cyber insurance or data breach coverage to your existing insurance policies. The reality is that data breach response management is a marathon and not a sprint. It is costly in time, resources and money. Cyber insurance today provides many levels of coverage and provides for much more than legal liabilities. Many policies cover the many services you may not think of when dealing with a breach, such as breach counsel, forensics services, call center services and public relations services.
Just get started. The greatest risk to companies? Doing nothing at all because they don’t know where to begin, it “costs too much,” or it “will take too long,” etc. Like any physical fitness program, information security compliance is about consistency over the long term and making progress in increments. You may not be buff tomorrow, but over time you will see results. Just. Get. Started.