Effective cyber security to combat crime and protect data

September 2015 | PROFESSIONAL INSIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

There is no shortage of headlines announcing the latest data breach affecting millions, whether it be the federal government (Office of Personnel Management), healthcare (UCLA Health and Anthem) or retail (Target, CVS and Costco online photos). But inevitable as it is that more data breaches will occur, it is also a certainty that the use of electronic and digital records containing personal, financial and medical records will only increase. Even the temptation to slide back to paper is not an option, since many privacy rules apply to paper as well as electronic records. So, short of chiselling stone, how does a modern business function while keeping data secure?

Effective cyber security must include modern IT tools such as firewalls, remote data wipes, virus detectors and encryption. There also are meaningful and low-cost ways a company can reduce the likelihood and severity of cyber breaches. Below are a few of those steps.

Know thyself

The first and most important step in cyber security is to understand your data – know what you have, where is it kept and who has access to it. It does not always follow that the larger the company, the more sensitive the data. Many companies holding data that the law says must be protected are not even aware that they are subject to privacy laws. Even one employee’s social security number requires protection. But until you understand what you have, you cannot begin to secure it.

Know thy vendors

The Target breach originated with a small HVAC company in Pennsylvania. The OPM breach reportedly started with a travel agent. The Goodwill breach began with a point-of-sale retailer. No matter how secure your own systems are, you remain at risk if your vendors’ networks are vulnerable. You should understand your vendors’ data securities as well as you know your own. The first step is to determine which of your vendors pose the most risk to you if their systems are breached. Vulnerable vendors may include storage and shredding companies, photocopier lessors, outsourced billing systems, law firms and accountants.

A carefully drafted questionnaire can help you evaluate the security and procedures your vendors have in place. Obtain a copy of the vendor’s written security policies. Require the vendor notify you promptly in the event the vendor has a data breach. Monitor compliance by the vendors with an occasional on-site visit. Read your service contracts carefully to determine whether you or the vendor have any indemnification obligations in the event of a breach.

Have a breach response procedure

The time to implement a breach procedure is now, before a breach. A response procedure is a comprehensive written response plan. Identify who is in charge and who has decision-making authority. This not only streamlines the response activity, but a go-to person recognises that there is no time to build consensus opinions during the early days of the breach response. The response procedure should identify which outside vendors to contact, and in what order. Some hold the view that a lawyer should be the first contact because his communication with vendors and the company may be privileged.

Just as the time to create a procedure is now, so now is the time to identify and negotiate prices with all potential breach responders. Cultivating contacts within the FBI and Secret Service is also worthwhile because many hacking attempts are a criminal activity. One increasingly common practice is cyber extortion in which data is frozen or threatened to be released unless a ransom is paid.

Conduct ‘table top’ exercises of mock cyber security events with IT, legal, human resources, compliance officers and upper management. Consider having the mock exercise on a Sunday afternoon when the office is not air conditioned because a real breach will undoubtedly occur at an inconvenient time.

Have a disposal policy

So much emphasis is placed on keeping data secure that it is easy to forget the task of data disposal. Data disposal raises two issues. First, many businesses, schools, municipalities and nonprofits retain client and customer data long beyond its usefulness. There should be a regular review of data to determine whether it still serves a business purpose and if not, then proper steps must be taken to delete aging data. Second, disposal rules often apply to protected information on paper. The disposal standard under many privacy laws require that paper documents be rendered unreadable, unusable and undecipherable. This includes shredding, burning, pulping and even ‘pulverising’. If a third party vendor is hired to dispose of protected data, that vendor must be vetted and monitored.

Create a culture of security

Each employee, from the newest hire to the chief executive officer, must acknowledge the importance of privacy protection. If employees do not observe upper management involved in data security procedures, they may not take the issue seriously. Executives should lead by example and attend cyber security training programs.

Apply brick and mortar lessons to digital data

It is readily acceptable that not all employees have access to all business functions. Law firm associates do not attend partner meetings, shipping clerks do not have access to human resource files and office staff do not have access to R&D labs. Similarly, passwords should be restricted or tiered so that only appropriate personnel have access to sensitive material. Systems should lock out employees whose seniority level or job function limits their right to access certain data.

Train all personnel

Stress the importance of cyber security by extending training to cover data protection practices in employees’ personal lives as well as the workplace. Employees are more likely to pay attention when organisations emphasise the importance of data protection at home and at work. Assess employees’ knowledge of privacy rules, for example by circulating a friendly and fun email quiz about a security policy. Not only does this approach reinforce the importance of security, but wrong answers highlight areas where additional training may be necessary.

Have a privacy policy

Once you identify your data and create a response procedure, draft a written privacy policy which can be part of the informational packets given to new employees. The policy should emphasise the importance of privacy and contain company policies regarding social media, BYOD, using unprotected networks outside the office, password security and incident reporting. It is equally important to have and enforce consequences for noncompliance, including termination. But a policy should not be so onerous that it discourages compliance.

Keep current

Developments in technology constantly change the workplace and work habits. Designate one or more individuals to be aware of emerging threats and new business functions that may increase security risks or create new ones. This may be as simple as subscribing to industry newsletters, following industry leaders online and meeting regularly.

Purchase cyber insurance

There is no magic potion to secure data in the workplace, nor should insurance be viewed as a substitute for good company policies and procedures. Yet despite all reasonable security measures, a data breach may still occur. Taking another lesson from the brick-and-mortar world, few businesses operate without fire insurance even though they install fire suppressive measures. A data breach or infected network also can cause long-term, expensive business interruption and reputational damage. Cyber insurance can be an affordable safety net if a breach occurs. The more secure you are, the better the coverage you may be offered. Be sure you purchase the type of coverage suitable for your risks with the limits you need from an insurer you trust.

Celeste King is a founding partner at Walker Wilcox Matousek LLP. She can be contacted on +1 (312) 244 6777 or by email: cking@wwmlawyers.com.

Celeste King

Walker Wilcox Matousek LLP