By Patricia Farrell, Meyer, Unkovic & Scott & Julia Poepping, Copasec
Did the board of directors and top corporate officers do enough to prevent and address the cyber attack?
For corporate counsel, this is the key legal question when it comes to cybersecurity risk. Following highly-publicized data breaches such as those of Target Corporation, the Wyndham hotel chain and Home Depot, shareholders, vendors and consumers are increasingly filing lawsuits alleging that the company’s board of directors and executives did not do enough to protect its data.
While it’s impossible for any company to completely prevent cyber attacks, corporate counsel should advise companies to adopt strong cybersecurity policies and procedures that demonstrate the board’s and executives’ good-faith commitment to data security. These procedures will help to defend the board of directors and executives in a lawsuit following a security breach, and may also help to lower the cost of cybersecurity insurance premiums.
- Select an executive to oversee cybersecurity and give updates on key security metrics
The board of directors should assign an executive who oversees the company’s cybersecurity measures. The executive should be top-level management, such as the chief executive officer, chief operations officer or chief information officer. The board should require the executive to give quarterly updates on key cybersecurity measures at least quarterly until a mature program is in place. Once a mature program is in place, the board may only require annual updates with statistics about risk possibilities, number of incidents addressed, potential threats and other key metrics. If there is a cybersecurity breach, the board should require the executive to give updates at every meeting until the issue is resolved.
- Create a cybersecurity leadership committee
Hackers may target all types of data, from personnel files to company financial records to client lists. One of the first tasks of the executive assigned to oversee cybersecurity should be to establish a leadership steering committee with broad representation across all major departments, including legal, human resources, finance and accounting, sales, information technology, operations and any other relevant corporate departments. The representative from each department should be responsible for establishing data policies within their departments, champion data security programs and define security metrics for their groups.
- Choose a cybersecurity framework
There is no single set of standards that a company can meet to ensure its relative security from cyber attacks. The executive who oversees the company’s cybersecurity efforts will have to choose from several available frameworks that will provide guidelines for security measures. A commonly used framework is from National Institute of Standards and Technology. NIST’s “Framework for Improving Critical Infrastructure Cybersecurity,” was released in February 2014 in response to an executive order to improve cybersecurity infrastructure. Companies may, however, choose a framework that caters to their specific industry and the associated regulations. For example, energy companies often use the North American Reliability Corporation’s (NERC) Critical Infrastructure Protection guidelines. Some other common frameworks include:
- The International Organization for Standardization’s (ISO) 2700 series
- The International Society for Automation & American National Standards Institute’s joint series of documents, called the ANSI/ISA99
- Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technology (COBIT)
- Create a data classification policy and procedure
The board of directors and company executives should identify the different types of data that it stores and the corresponding level of protection needed, such as:
- Public data, which is available to anyone. In some cases, federal or state regulations may even require certain data to be public, such as the federal Securities and Exchange Council’s disclosure requirements for publicly traded companies.
- Private internal data, which includes any information that may be used by any employee but should not be available to outside organizations. Examples might include operating procedures or technical documents.
- Confidential or restricted data, which might apply to things such as employee salary records, court records or unpublished company financial information. This information is only available to employees for whom it is critical to their job functions.
- Data specially regulated by specific federal, state or local laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) has specific privacy requirements for medical records.
- Train employees on acceptable use of data
The key to whether a company data classification policy is effective depends on employee compliance. The company should train employees on acceptable ways that they may use and distribute data, and have them sign documents promising to follow the company’s guidelines for appropriate ways to use its data. For example, employees should have no expectation of privacy when using company materials, should not download unapproved software and should never email internal company information to people outside the organization. The acceptable use policy should include potential consequences to violations, which may include termination or even prosecution if the employee violates the data policy.
- Create an incident response plan
One of the most common legal charges following a cyber attack is that the company was unprepared to handle the crisis, then attempted to hide it from affected parties including shareholders, customers and vendors. To prepare for an incident, the cybersecurity leadership team should identify how likely different types of cyber attacks may be and how an incident may compromise the organization’s functionality and reputation. For each scenario, leaders should lay out a corresponding incident response plan that follows how issues may be detected, who will be responsible for implementing procedures to contain and eradicate the problem, and how to deal with the incident afterwards. The plan should also include communications plans, including when shareholders, affected vendors or customers, and the public must be notified of a data breach.
- Schedule periodic audits by third party
No matter how strong a company’s cybersecurity team may be, there will always be blind spots and gaps that the team may miss because they are too close to the situation. Periodically, the board of directors should employ a third party firm to test the company’s cybersecurity measures and identify any potential chinks in the armor. The outside company can then address any issues uncovered in the audit.
- Regularly remind employees to maintain cybersecurity
Cybersecurity armor is only as strong as its weakest link – which often comes down to human error. While some cybersecurity attacks are sophisticated, many more begin with simple employee negligence, such as opening an email with a virus or mistakenly sending a confidential document to the wrong person. Companies should consistently remind employees to be vigilant about company data security, including in newsletters, posters, reminders and in meetings.
Corporate counsel should pay close attention to the company’s cybersecurity strategy and encourage the company to employee each of these steps. If the company experiences a cyber attack and resulting lawsuits down the road, corporate counsel will be ready with the company’s good-faith defense to avoid the attack.
Patricia Farrell is a partner at Pittsburgh-based law firm Meyer, Unkovic & Scott where she has a broad corporate practice. Patricia can be reached at firstname.lastname@example.org.
Julia Poepping is principal consultant and founder of Copasec, a cybersecurity services company. Julia can be reached at email@example.com.
Reprinted & excerpted with permission from the October 8, 2015 edition of the Legal Intelligencer©2015 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 – firstname.lastname@example.org or visit www.almreprints.com.