Pub. 5 2017 Issue 4

Issue 4. 2017 9 a company. In other words, executives and board members cannot reduce their cybersecurity liability by ignor- ing the problem. State, national, and international laws increasingly regulate how com- panies process information. On the state level, 48 states have data breach notification laws. Most of those laws simply explain how to notify individ- uals affected by a data breach. Some states go further. Utah, for example, requires “any person who conducts business in the state . . . [to] implement and maintain reasonable procedures to: prevent unlawful use or disclosure of personal information . . . ” In other words, operating without appropriate policies and procedures runs the risk of violating the law. In the federal regulatory environment, organizations who work in industries such as health care, banking, insur- ance, finance, and telecommunications face a plethora of cybersecurity obli- gations. For example, in the health care environment, federal law requires health care entities to implement specific privacy and security policies. Failing to do so can incur millions in fines, consumer anger, and months of audits with disruptive regulators. Internationally, most countries enforce strict privacy and security laws. Where the United States regulates privacy by sector, most countries outside the Unit- ed States regulate privacy and security comprehensively. Accordingly, most countries: illegalize the international transfer of information without follow- ing certain processes; require a legal basis to process consumer information; and impose steep fines for failing to comply. For example, in 2018, the Eu- ropean Union can fine companies the greater of €20,000,000 or 4 percent of international revenues. Another source of legal risk comes from contractual obligations. It’s a common business practice to draft service agreements insisting business partners comply with specific privacy and security laws. In the healthcare industry, health entities commonly require business partners to sign a Business Associate Agreement, which creates an obligation to comply with federal privacy and security laws. Once executives and board members understand their privacy and security obligations, their legal counsel should draft appropriate policies and pro- cedures. At minimum, the policies should explain how the company gov- erns over privacy and security matters, the physical and technological security measures to prevent data breaches, and the incident response process. With regard to governance, a designat- ed executive should provide regular reports to the board about security as- sessment results, progress on addressing security matters, audits of the security system, privacy and security awareness campaigns, and data breach incidents. Executives and board members should have an opportunity to review these items, recommend solutions, and communicate regular privacy directives to employees. In line with the duty of care, executives and board members must reasonably address privacy and security issues raised during these meetings. If executives and board members fail to hold these meetings, they may breach their fiduciary obli- gations to the company. Policies must set the company’s security framework for physical and techno- logical security. There are numerous security frameworks to choose from but the most common are ISO’s 27001 stan- dard, NIST Cybersecurity Framework, and the Center for Internet Security’s 20 Critical Controls. Of these stan- dards, the Center for Internet Security’s 20 Critical Controls are the most approachable. They’re free, available online, and provide a reasonable level of protection without breaking the budget. Finally, policies should f lesh out an incident response process. Without it, companies can waste thousands of dollars without properly addressing in- cidents. The incident response process should designate an incident response coordinator who fills out an incident re- port, reports the incident to executives, and works with various departments to resolve the incident. Critically, the process should incorporate legal counsel so counsel can protect matters discussed during the incident with the attorney-client privilege. No company wants to lose their custom- ers’ information. No company wants to pay a fine or lose business because of a data breach. Instead of buying gadgets to solve obscure cybersecurity prob- lems, companies should engage legal counsel who can define the legal prob- lem and draft policies and procedures to minimize risks. n Instead of buying gadgets to solve obscure cybersecurity problems, companies should engage legal counsel who can define the legal problem and draft policies and procedures to minimize risks.