Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Employment Law StrategistLJN NewslettersNewsSections

Protecting Your Company's Data from Security Breaches

By Jeffrey Kosc
December 31, 2015

The last several years have seen a series of high-profile data security breaches resulting in adverse publicity and significant costs for the targets of these breaches. Whether a targeted attack or a hacker seeking a weak network, even the best security systems may ultimately be compromised by sophisticated attackers. This article explores some steps counsel can take to protect their organizations from a data breach, and how counsel can proactively help to mitigate any adverse impact in the unfortunate event a data breach occurs.

Know What Data Your Organization Has, Where That Data Goes and Where It Originated

It is important for counsel to understand the nature and scope of sensitive data that its organization uses in the course of its business, and how this data flows through the business. Significant obligations may be imposed on your entity based on the type and nature of data, and how that data is used in the business. Counsel's inquiry should cover not only the company's own data, but also data that the company handles on behalf of third parties (customers and vendors). Certain information can give rise to statutory or regulatory obligations that may require heightened security procedures, such as healthcare or financial information. Other information may trigger audit concerns for the entity or its clients: Just as important as understanding the scope and nature of the data is understanding how your entity came to possess the data and what happens to that data while in your entity's control. Counsel needs to evaluate how the data was collected as certain disclosures may need to be made at the point of collection, or certain contractual obligations may need to be imposed on agents that interact with the data. Next, it is important to understand the lifecycle of the data within your organization. Where is it stored and how is it secured? Is it ever processed or transmitted and, if so, what protections are taken during those steps? Is it ever transmitted across international borders? If the data is subject to regulation, are those requirements being met? Finally, counsel must understand how data is disposed of once it is no longer useful. Are contractual and regulatory obligations being met? Does the handling of the data comply with the organization's retention policy? With a full understanding of the data's path through your entity, you will be better able to protect the data on a day-to-day basis.

Implement and Enforce Strong Policies for Employees and Vendors

Many security breaches result from attackers taking advantage of people in order to gain access (whether physically or electronically). Social engineering, or the manipulation of people, is many times used to dupe people into revealing confidential information that can be used to access otherwise secure data or facilities. Likewise, phishing or more targeted “spear-phishing” attacks will try to solicit information electronically or try to authorize the download of malware through links designed to look legitimate. Counsel can help thwart attacks by being sure that strong policies are implemented for all of the organization's employees and agents to ensure that sensitive data remains protected. All of a company's policies (human resources, physical security, travel policies, etc.) should take into account the company's technology and data, and ensure that the policies are designed to protect this data. Once policies are developed, it is also important to ensure that they are effective. Simply issuing a policy is not enough. Training should be provided to employees and agents to ensure that they recognize when social engineering or phishing attacks are occurring.

The company's policies and procedures should also be sure to limit access to sensitive data only to those employees, consultants and vendors that have a need to know such information. Counsel can be helpful in determining who should have access to data and ensuring that policies are put in place to limit access accordingly. For certain highly sensitive information, background checks may be appropriate (or even mandatory) in order to permit access to the data. Counsel will be key in determining these limitations.

Contractual Protections

Know the Security Standards

Whether you are allowing a third party access to your information or contracting with clients of your entity regarding the handling of the client's data, it is important to know the applicable standards imposed on the handling of the data, whether by law or by practice in the industry. The nature of the data being processed will generally dictate what confidentiality restrictions and data security requirements should be added. This will likely dictate what, if any, standards should be observed. For example, it would be appropriate to require adherence to the Payment Card Industry ' Data Security Standard (PCI-DSS) for credit card information, but the ISO 27001 standard may be more appropriate for services involving a data center. There are many other frameworks for security standards that may apply and counsel must play an important role in ensuring compliance with the applicable standards.

Bind Your Vendors and Confirm Compliance

Once the applicable standards are known, steps need to be contemplated and implemented to ensure that ongoing compliance is maintained and data will be kept secure, especially where it is entrusted to third parties. Will independent certifications be required? What kind of reporting will be required? Can your entity audit the third party's compliance? Most importantly, what are the consequences if vulnerabilities are found? It is recommended that strong remedies, including termination rights and cover costs, be put in place to deal with any non-compliance with contractual obligations to protect data and any failure to adhere to agreed standards.

Accessibility

Contracts with third parties should always limit accessibility to data accordingly. When entering an agreement that relates to sensitive information, you will want to ensure that rights to use and further disclose information are properly limited and that rights to subcontract are limited appropriately. If your company is the party receiving sensitive data, you must ensure that you have appropriate permissions granted to allow your entity to fulfill its contractual obligations and to limit access only to those resources with a need to access the data.

Indemnities

Often, indemnities are the most heavily negotiated portions of contracts. When the subject matter of the agreement is sensitive data, indemnities offer a great opportunity to allocate risk properly under an agreement. The indemnities should properly balance the risk of the parties with the responsibilities of a party to an agreement. Anticipating the potential for third-party claims and addressing the responsibility for those liabilities in advance can serve as a strong performance incentive for the parties to an agreement.

Electronic and Physical Protections

Counsel should be involved in evaluating the appropriateness of the electronic and physical protections put in place by an organization in protecting sensitive data. Strong authentication procedures should be put in place for any access to systems containing sensitive information. Encryption may be appropriate (and even mandated by applicable laws) where data is highly sensitive. Physical or logical segmentation from other data at the electronic level may be appropriate based on the nature and source(s) of the data. In addition, sources of leakage of data should be evaluated, such as printers/faxes, e-mail, wireless systems, displays, and mobile devices. Electronic measures can be used to address many of these concerns, but in other instances, different procedures, such as supervised access; data logging, change management policies and certified destruction may be more appropriate.

Also, while usually the primary responsibility of the IT department, counsel must ensure that proper testing for vulnerabilities takes place regularly, particularly where sensitive data is in play. Likewise, counsel should ensure that procedures are in place to ensure timely patching of known vulnerabilities.

Monitoring and Auditing

Access to sensitive data should be monitored at all times. Logging mechanisms should be put in place to monitor all access to sensitive data. This should include logging of all electronic access and physical access to secure facilities (or areas of facilities).

As noted above, ensuring compliance is important. If certain data affects your organization's financial controls, you may be required by auditors to report on the controls that are in place to protect data. Where handling of sensitive data is outsourced, agreements for services should address the applicable audit standards (e.g., SSAE, ISAE, etc.) and the applicable type of report (e.g., SOC 1 v. SOC 2) that the vendor must provide. Agreements with third parties should also address the consequences of failures to report and consequences of an unsatisfactory report.

Insurance

Cyber-risk insurance is now commonplace in most industries, not just among technology companies. Data breaches can result in not only adverse public relations, but also in fines, internal costs (for investigation and compliance with notification laws) and lawsuits by affected third parties. Where the handling of sensitive data is outsourced to a third party, an insurance requirement (addressing data breaches) should be standard in the services agreement.

Preparedness

One of the most important roles that counsel can play with respect to protecting sensitive data is in preparing for a rapid response in the event of a data breach. Counsel should prepare a thorough breach response plan with a cross-functional team of legal, IT, risk and each department that is responsible for sensitive data. The plan should contemplate forensic needs to chronicle any breach, legal requirements that may arise in the event of any breach, and strategies for alternative handling of data in the event of a breach.

Conclusion

Constant vigilance is required with respect to data security. Certification under applicable standards does not always equal security, so security remains an ongoing process. People can many times be the biggest source of weakness in any security structure, so constant training and education on how sensitive data should be handled is a must. Counsel to any organization should play a critical role in this ongoing effort by getting a full understanding of the organization's data and how it is handled. Once the organization's data flow is understood, counsel should help implement safeguards and plan ahead to make sure the organization is ready to rapidly deal with any possible breach.

Jeffrey Kosc is a member of the Innovations, Information Technology & Intellectual Property (3iP) and Litigation Practice Groups at Benesch, Friedlander, Coplan & Aronoff, LLP in Indianapolis, IN. He can be reached at [email protected].

The last several years have seen a series of high-profile data security breaches resulting in adverse publicity and significant costs for the targets of these breaches. Whether a targeted attack or a hacker seeking a weak network, even the best security systems may ultimately be compromised by sophisticated attackers. This article explores some steps counsel can take to protect their organizations from a data breach, and how counsel can proactively help to mitigate any adverse impact in the unfortunate event a data breach occurs.

Know What Data Your Organization Has, Where That Data Goes and Where It Originated

It is important for counsel to understand the nature and scope of sensitive data that its organization uses in the course of its business, and how this data flows through the business. Significant obligations may be imposed on your entity based on the type and nature of data, and how that data is used in the business. Counsel's inquiry should cover not only the company's own data, but also data that the company handles on behalf of third parties (customers and vendors). Certain information can give rise to statutory or regulatory obligations that may require heightened security procedures, such as healthcare or financial information. Other information may trigger audit concerns for the entity or its clients: Just as important as understanding the scope and nature of the data is understanding how your entity came to possess the data and what happens to that data while in your entity's control. Counsel needs to evaluate how the data was collected as certain disclosures may need to be made at the point of collection, or certain contractual obligations may need to be imposed on agents that interact with the data. Next, it is important to understand the lifecycle of the data within your organization. Where is it stored and how is it secured? Is it ever processed or transmitted and, if so, what protections are taken during those steps? Is it ever transmitted across international borders? If the data is subject to regulation, are those requirements being met? Finally, counsel must understand how data is disposed of once it is no longer useful. Are contractual and regulatory obligations being met? Does the handling of the data comply with the organization's retention policy? With a full understanding of the data's path through your entity, you will be better able to protect the data on a day-to-day basis.

Implement and Enforce Strong Policies for Employees and Vendors

Many security breaches result from attackers taking advantage of people in order to gain access (whether physically or electronically). Social engineering, or the manipulation of people, is many times used to dupe people into revealing confidential information that can be used to access otherwise secure data or facilities. Likewise, phishing or more targeted “spear-phishing” attacks will try to solicit information electronically or try to authorize the download of malware through links designed to look legitimate. Counsel can help thwart attacks by being sure that strong policies are implemented for all of the organization's employees and agents to ensure that sensitive data remains protected. All of a company's policies (human resources, physical security, travel policies, etc.) should take into account the company's technology and data, and ensure that the policies are designed to protect this data. Once policies are developed, it is also important to ensure that they are effective. Simply issuing a policy is not enough. Training should be provided to employees and agents to ensure that they recognize when social engineering or phishing attacks are occurring.

The company's policies and procedures should also be sure to limit access to sensitive data only to those employees, consultants and vendors that have a need to know such information. Counsel can be helpful in determining who should have access to data and ensuring that policies are put in place to limit access accordingly. For certain highly sensitive information, background checks may be appropriate (or even mandatory) in order to permit access to the data. Counsel will be key in determining these limitations.

Contractual Protections

Know the Security Standards

Whether you are allowing a third party access to your information or contracting with clients of your entity regarding the handling of the client's data, it is important to know the applicable standards imposed on the handling of the data, whether by law or by practice in the industry. The nature of the data being processed will generally dictate what confidentiality restrictions and data security requirements should be added. This will likely dictate what, if any, standards should be observed. For example, it would be appropriate to require adherence to the Payment Card Industry ' Data Security Standard (PCI-DSS) for credit card information, but the ISO 27001 standard may be more appropriate for services involving a data center. There are many other frameworks for security standards that may apply and counsel must play an important role in ensuring compliance with the applicable standards.

Bind Your Vendors and Confirm Compliance

Once the applicable standards are known, steps need to be contemplated and implemented to ensure that ongoing compliance is maintained and data will be kept secure, especially where it is entrusted to third parties. Will independent certifications be required? What kind of reporting will be required? Can your entity audit the third party's compliance? Most importantly, what are the consequences if vulnerabilities are found? It is recommended that strong remedies, including termination rights and cover costs, be put in place to deal with any non-compliance with contractual obligations to protect data and any failure to adhere to agreed standards.

Accessibility

Contracts with third parties should always limit accessibility to data accordingly. When entering an agreement that relates to sensitive information, you will want to ensure that rights to use and further disclose information are properly limited and that rights to subcontract are limited appropriately. If your company is the party receiving sensitive data, you must ensure that you have appropriate permissions granted to allow your entity to fulfill its contractual obligations and to limit access only to those resources with a need to access the data.

Indemnities

Often, indemnities are the most heavily negotiated portions of contracts. When the subject matter of the agreement is sensitive data, indemnities offer a great opportunity to allocate risk properly under an agreement. The indemnities should properly balance the risk of the parties with the responsibilities of a party to an agreement. Anticipating the potential for third-party claims and addressing the responsibility for those liabilities in advance can serve as a strong performance incentive for the parties to an agreement.

Electronic and Physical Protections

Counsel should be involved in evaluating the appropriateness of the electronic and physical protections put in place by an organization in protecting sensitive data. Strong authentication procedures should be put in place for any access to systems containing sensitive information. Encryption may be appropriate (and even mandated by applicable laws) where data is highly sensitive. Physical or logical segmentation from other data at the electronic level may be appropriate based on the nature and source(s) of the data. In addition, sources of leakage of data should be evaluated, such as printers/faxes, e-mail, wireless systems, displays, and mobile devices. Electronic measures can be used to address many of these concerns, but in other instances, different procedures, such as supervised access; data logging, change management policies and certified destruction may be more appropriate.

Also, while usually the primary responsibility of the IT department, counsel must ensure that proper testing for vulnerabilities takes place regularly, particularly where sensitive data is in play. Likewise, counsel should ensure that procedures are in place to ensure timely patching of known vulnerabilities.

Monitoring and Auditing

Access to sensitive data should be monitored at all times. Logging mechanisms should be put in place to monitor all access to sensitive data. This should include logging of all electronic access and physical access to secure facilities (or areas of facilities).

As noted above, ensuring compliance is important. If certain data affects your organization's financial controls, you may be required by auditors to report on the controls that are in place to protect data. Where handling of sensitive data is outsourced, agreements for services should address the applicable audit standards (e.g., SSAE, ISAE, etc.) and the applicable type of report (e.g., SOC 1 v. SOC 2) that the vendor must provide. Agreements with third parties should also address the consequences of failures to report and consequences of an unsatisfactory report.

Insurance

Cyber-risk insurance is now commonplace in most industries, not just among technology companies. Data breaches can result in not only adverse public relations, but also in fines, internal costs (for investigation and compliance with notification laws) and lawsuits by affected third parties. Where the handling of sensitive data is outsourced to a third party, an insurance requirement (addressing data breaches) should be standard in the services agreement.

Preparedness

One of the most important roles that counsel can play with respect to protecting sensitive data is in preparing for a rapid response in the event of a data breach. Counsel should prepare a thorough breach response plan with a cross-functional team of legal, IT, risk and each department that is responsible for sensitive data. The plan should contemplate forensic needs to chronicle any breach, legal requirements that may arise in the event of any breach, and strategies for alternative handling of data in the event of a breach.

Conclusion

Constant vigilance is required with respect to data security. Certification under applicable standards does not always equal security, so security remains an ongoing process. People can many times be the biggest source of weakness in any security structure, so constant training and education on how sensitive data should be handled is a must. Counsel to any organization should play a critical role in this ongoing effort by getting a full understanding of the organization's data and how it is handled. Once the organization's data flow is understood, counsel should help implement safeguards and plan ahead to make sure the organization is ready to rapidly deal with any possible breach.

Jeffrey Kosc is a member of the Innovations, Information Technology & Intellectual Property (3iP) and Litigation Practice Groups at Benesch, Friedlander, Coplan & Aronoff, LLP in Indianapolis, IN. He can be reached at [email protected].

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.