Nine Key Steps In a Proactive Cybersecurity Review

The Federal Trade Commission (FTC) and many state attorneys general have already marked their territory when it comes to data breaches, and the number of class action suits against companies that have been victims of breaches is growing steadily. Recent reports suggest the Securities and Exchange Commission (SEC) may be taking another step toward official rules on cyber disclosures, which means companies could face even more regulatory scrutiny ' and shareholder litigation ' in the years ahead.

In this environment, companies have to move aggressively and proactively to prevent ' and mitigate the consequences of ' a breach. The single most important step a general counsel can take is to engage in a comprehensive review of the company's information governance before a breach occurs. Not only will this type of proactive review help reduce the risks of a breach, it also will be an important part of your company's defense in the litigation and enforcement proceedings that are likely to follow.

Simply put, regulators and courts will be far less likely to blame the victim company for the breach if that company can demonstrate the steps it took in advance to protect its data and reduce its risks.

This type of review requires more than just the IT department, or even an outside network security firm ' it also involves a host of legal issues. Moreover, in order to ensure attorney-client privilege for the results of such a thorough review, it is best to have it commissioned by outside counsel.

To maximize the protection for the company, the review should address the following nine areas.

1. Review privacy notices and practices.

Compare your privacy notice with your company's actual practices to make sure you're doing what you say you're doing. Otherwise you could be in the sights of the FTC for deceptive trade practices.

2. Review employee training on cybersecurity.

Data security is not just about technology; it's also about processes and people. Your employees are your first line of defense, and one employee who carelessly opens a spear-phishing email and allows malware to get onto your network can undermine millions of dollars in security investments. For that reason, reviewing and enhancing your training for employees, emphasizing their shared responsibility for cybersecurity, is critical.

3. Review network security.

Technical security measures are critical components of your overall level of protection. Here are key questions you should be asking:

• What type of authentication and firewalls are in place?
• Are default passwords being used? Are passwords sufficiently strong, and are they changed regularly?
• Does the network have an intrusion detection or prevention system?
• Is encryption used on the network, and are mobile devices encrypted?
• Is logging enabled on your network, and are logs stored for a sufficient time? If a breach occurs, logs will be critical in determining what happened and assessing the scope of the incident.

4. Develop or review ' and test ' an incident response plan.

If you don't have an incident response plan, you need one. If you have one, now is a good time to review it. Either way, that plan should be tested regularly so you know it will work when the time comes. The plan should make clear who will be called in to help when an incident occurs ' and your lawyer should be your first phone call. The lawyer in turn should engage a forensics firm and other outside experts. This enables your company to maintain the protection of the attorney-client privilege as it responds to the incident, which will be critical when litigation ensues.

5. Develop or review your records retention policy.

Make sure you store on your network only the data the company needs for business operations; data that can be archived offline or destroyed, should be. If it's not stored on your network, it can't be stolen.

6. Review contracts with business partners.

Review your contracts with suppliers, vendors, and other business partners to ensure that they appropriately address responsibility and liability for data security, and that they provide for regular audits to ensure compliance.

7. Review insurance coverage.

No security is perfect, and the costs of a breach can be catastrophic, so checking that your insurance coverage is adequate ' including response, remediation, and litigation costs ' is critical to protecting your business.

8. Review compliance with the laws governing your data.

In addition to sector-specific federal laws and the FTC Act, nearly every state has laws governing data privacy and breach notification. Your company may also be subject to foreign data protection regimes. And for public companies, the nature and adequacy of disclosures about cyber risks will be subject to review by the SEC. In this complex legal environment, it's important to ensure that your information governance practices will not run afoul of applicable state, federal, or foreign law.

9. Review your corporate governance structure relating to data security.

Data breaches pose risks to the entire company. For that reason, companies should assess their relevant corporate governance structures. All too often, the board will become involved after an incident occurs, but doing so in advance will help ensure that the company is devoting sufficient resources and attention to data protection.

Conclusion

No one wants to spend money to address a problem they have not yet experienced. But most experts will tell you that there are two types of companies: those that know they've had a data breach, and those that haven't yet realized it. Conducting a proactive information governance review will help your company reduce the risks of a cyber incident, and will best position the company to defend itself in litigation and enforcement proceedings if (when) a breach does occur. The best defense later is a proactive defense now.

Jason Weinstein is a partner in the Washington, DC, office of Steptoe & Johnson, focusing his practice on privacy and data security, white-collar criminal defense, and internal investigations. He is a former federal prosecutor and most recently served as deputy assistant attorney general in the Department of Justice's Criminal Division, where he oversaw the Computer Crime and Intellectual Property Section.

Imagine you are the manager of a bank that has just been robbed. The police gather evidence from the crime scene to try to identify the robbers. Then a federal official arrives to advise that you're being fined for not doing more to prevent the theft. Then some state officials arrive to say that they're fining the bank too, because some of your customers were residents of their states. Then you learn that you're being sued by the customers whose money was taken.

For many companies in the United States, this scenario is playing out with increasing frequency following breaches in cyberspace. Securing your company's network and protecting your valuable data is difficult enough in today's Internet-driven economy. But to be treated by regulators and courts like an accessory to the crime after you've been hacked is truly adding insult to injury.

Or rather, adding injury to injury. Because defending your company against enforcement actions and class action litigation places financial burdens on the company at a time when it is coming to terms with the reputational and economic damages inflicted by the attack ' and paying the costs associated with protecting customers.

The Federal Trade Commission (FTC) and many state attorneys general have already marked their territory when it comes to data breaches, and the number of class action suits against companies that have been victims of breaches is growing steadily. Recent reports suggest the Securities and Exchange Commission (SEC) may be taking another step toward official rules on cyber disclosures, which means companies could face even more regulatory scrutiny ' and shareholder litigation ' in the years ahead.

In this environment, companies have to move aggressively and proactively to prevent ' and mitigate the consequences of ' a breach. The single most important step a general counsel can take is to engage in a comprehensive review of the company's information governance before a breach occurs. Not only will this type of proactive review help reduce the risks of a breach, it also will be an important part of your company's defense in the litigation and enforcement proceedings that are likely to follow.

Simply put, regulators and courts will be far less likely to blame the victim company for the breach if that company can demonstrate the steps it took in advance to protect its data and reduce its risks.

This type of review requires more than just the IT department, or even an outside network security firm ' it also involves a host of legal issues. Moreover, in order to ensure attorney-client privilege for the results of such a thorough review, it is best to have it commissioned by outside counsel.

To maximize the protection for the company, the review should address the following nine areas.

1. Review privacy notices and practices.

Compare your privacy notice with your company's actual practices to make sure you're doing what you say you're doing. Otherwise you could be in the sights of the FTC for deceptive trade practices.

2. Review employee training on cybersecurity.

Data security is not just about technology; it's also about processes and people. Your employees are your first line of defense, and one employee who carelessly opens a spear-phishing email and allows malware to get onto your network can undermine millions of dollars in security investments. For that reason, reviewing and enhancing your training for employees, emphasizing their shared responsibility for cybersecurity, is critical.

3. Review network security.

Technical security measures are critical components of your overall level of protection. Here are key questions you should be asking:

• What type of authentication and firewalls are in place?
• Are default passwords being used? Are passwords sufficiently strong, and are they changed regularly?
• Does the network have an intrusion detection or prevention system?
• Is encryption used on the network, and are mobile devices encrypted?
• Is logging enabled on your network, and are logs stored for a sufficient time? If a breach occurs, logs will be critical in determining what happened and assessing the scope of the incident.

4. Develop or review ' and test ' an incident response plan.

If you don't have an incident response plan, you need one. If you have one, now is a good time to review it. Either way, that plan should be tested regularly so you know it will work when the time comes. The plan should make clear who will be called in to help when an incident occurs ' and your lawyer should be your first phone call. The lawyer in turn should engage a forensics firm and other outside experts. This enables your company to maintain the protection of the attorney-client privilege as it responds to the incident, which will be critical when litigation ensues.

5. Develop or review your records retention policy.

Make sure you store on your network only the data the company needs for business operations; data that can be archived offline or destroyed, should be. If it's not stored on your network, it can't be stolen.

6. Review contracts with business partners.

Review your contracts with suppliers, vendors, and other business partners to ensure that they appropriately address responsibility and liability for data security, and that they provide for regular audits to ensure compliance.

7. Review insurance coverage.

No security is perfect, and the costs of a breach can be catastrophic, so checking that your insurance coverage is adequate ' including response, remediation, and litigation costs ' is critical to protecting your business.

8. Review compliance with the laws governing your data.

In addition to sector-specific federal laws and the FTC Act, nearly every state has laws governing data privacy and breach notification. Your company may also be subject to foreign data protection regimes. And for public companies, the nature and adequacy of disclosures about cyber risks will be subject to review by the SEC. In this complex legal environment, it's important to ensure that your information governance practices will not run afoul of applicable state, federal, or foreign law.

9. Review your corporate governance structure relating to data security.

Data breaches pose risks to the entire company. For that reason, companies should assess their relevant corporate governance structures. All too often, the board will become involved after an incident occurs, but doing so in advance will help ensure that the company is devoting sufficient resources and attention to data protection.

Conclusion

No one wants to spend money to address a problem they have not yet experienced. But most experts will tell you that there are two types of companies: those that know they've had a data breach, and those that haven't yet realized it. Conducting a proactive information governance review will help your company reduce the risks of a cyber incident, and will best position the company to defend itself in litigation and enforcement proceedings if (when) a breach does occur. The best defense later is a proactive defense now.

Jason Weinstein is a partner in the Washington, DC, office of Steptoe & Johnson, focusing his practice on privacy and data security, white-collar criminal defense, and internal investigations. He is a former federal prosecutor and most recently served as deputy assistant attorney general in the Department of Justice's Criminal Division, where he oversaw the Computer Crime and Intellectual Property Section.