In 2012, then FBI Director Robert Mueller said, “There are two types of businesses, those that have been hacked and those that will be. Today, a decade later, that statement is even more relevant.
As a General Counsel, you should be an active member of your company’s cybersecurity team. Other team members may include your information security officer, your chief technology officer, and your compliance officer. If your business has a smaller footprint, an HR representative, C-suite staff, and an intellectual technology representative should also be included on your team.
A great first step in upgrading your cybersecurity hygiene is to perform a data inventory for your business. This will map, among other things, what data you have, where it is (internally or with a vendor) and who has access to it. Next, consider performing a risk assessment to assess the costs and benefits of how you treat your data and to identify vulnerabilities in the way the data is secured. During this process, consider using additional protective measures to reduce your risk. This assessment should be documented and updated as your data processing and business operations change.
Once the risk assessment is complete, you can advise your company to put in place a Written Information Security Program (WISP) or to update your current program. Creating and maintaining a WISP is a testament to your company’s commitment to cybersecurity. Typically, a WISP should contain your risk assessment, along with these plans and procedures:
- Critical Incident Response Plan (CIRP). A CIRP allows you to prepare for and respond effectively to a security incident in your business. It should include your:
- Security incident detection and identification framework
- Methods of forwarding incident communications to your response team
- Summary of notification obligations, including those of your insurance policy and contracts with customers, suppliers and business partners
- Contact list for outside forensic experts and outside lawyers (don’t be caught negotiating service contracts in the middle of an incident – you don’t have time)
- Retention policy. A retention policy creates a schedule for disposing of data when there is no longer a legitimate business need for it. Not only are retention policies required by certain laws, but they also reduce the amount of data held by a business and therefore the potential damage from a data breach. These policies should clearly document:
- What data is policy
- How long the data should be kept
- What specific disposal methods are acceptable
A risk assessment should be conducted and documented when determining the retention period of relevant data.
Just as important as planning for a natural disaster is planning for a cybersecurity crisis. Repeating your response and updating your company’s WISP annually is essential to minimize the impact of a security incident.