Tips · 4 MIN READ · MARC ZWILLINGER AND MARCI ROSEN · APR 24, 2019 · TAGS: Cloud security / Managed security / Management / Planning / Security Incident
Marc Zwillinger and Marci Rozen are attorneys at ZwillGen PLLC and are based in Washington, D.C. They both counsel clients on information security and privacy issues, handle incident response and advise on cross-border data protection. All views expressed in this article are the authors’ personal observations, and should not be attributed to ZwillGen, any of its other attorneys, or any of its clients. 
With major data breach settlements capturing headlines every few weeks, most executives are well aware that security incidents pose legal and even existential risk to companies. But as regulatory interest in information security grows, companies face an increasingly broad and varied set of risks in this area.
Here are four missteps we see happen often that open fast-growing companies up to unnecessary legal risks. The good news? There are some straightforward ways to mitigate these risks.
Risk 1: Failing to implement risk-based security controls
As companies face increasing pressure to expand and deliver more convenient services, it can be tempting to prioritize speed over security. However, failing to maintain security controls that are appropriate to the risk posed by data can result in significant legal exposure. The EU’s General Data Protection Regulation (GDPR) and a number of state laws allow regulators to bring enforcement actions against companies that fail to maintain “reasonable” security controls for personal information. And the new California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, provides a private right of action to California consumers whose personal information is breached as a result of “unreasonable” security.
HOW TO MITIGATE THE RISK
Despite the popularity of the term, there is no single definition of “reasonable” security, but there is consensus that “reasonableness” depends on the risk posed by the data in question. This is why companies should conduct a risk assessment for each type of dataset they maintain and implement risk-based controls, ideally using a recognized framework like the NIST Cybersecurity Framework.
Risk 2: Overlooking vendor security
Your company’s security is only as good as the security of your vendors that maintain and/or access your data. Vendors are a popular attack vector for the bad guys who are looking for a point of entry into large corporate networks, as the vendors’ security defenses may not be as strong as their clients’. Unfortunately, even if a breach is the result of a vendor’s subpar security, the data owner still bears legal responsibility for issuing breach notifications and providing credit monitoring (unless the contract with vendor says otherwise) and for responding to regulator inquiries. Additionally, proper vendor selection is part of “reasonable” security, as described above.
HOW TO MITIGATE THE RISK
Require your vendors to sign a robust information security addendum or provide other proof of a mature information security program, like a third-party audit report (e.g., SOC 2 or ISO 27001). In addition, your vendors should be required to notify data owners as soon as possible following a breach that affects the owner’s data. Ideally, your contract should also require the vendor to reimburse any costs associated with responding to such a breach, but many vendors will push back against these kinds of requirements.
Risk 3: Not documenting security practices – or failing to put your policies into practice
Even a company with state-of-the-art security practices faces risks if those practices aren’t documented in policies that are regularly reviewed and updated. Not only are information security policies required under various laws, including Massachusetts’ data security law and the New York Department of Financial Services cybersecurity regulations, but they’re also essential for IPO readiness. Conversely, it’s equally risky to establish policies that your company doesn’t follow, or to make unsupported security claims to potential customers. This opens your company up to allegations of deception. Companies considering going public must be prepared to disclose material cybersecurity risks in registration statements, and you should expect the underwriters conducting diligence to request copies of information security policies.
HOW TO MITIGATE THE RISK
If your organization hasn’t implemented information security policies, you need to document what practices are currently in place, and consult with outside counsel or an independent security assessor to determine whether you need to make improvements to comply with applicable law or industry standards. If your company already adopted information security policies, make sure they’re regularly reviewed by management and updated to reflect current practices.
Risk 4: Sidelining your legal team during incident response
As the team with technical expertise and first-hand knowledge of the facts of a security incident, it’s natural and appropriate for information security personnel to play a leading role when a security incident happens. However, with incidents that pose legal risk, legal teams (either in-house or external or both) play an equally critical role. When legal teams direct and coordinate response efforts with the IT folks, your company will have the ability to claim privilege over communications and work product – including the draft forensic reports if your providers are engaged under privilege. If you’re successful, these claims can protect interim, incomplete conclusions and other sensitive information from disclosure during litigation and some types of regulatory investigations. You’ll also want to involve your legal team to assess breach notification obligations and identify other areas of risk exposure throughout the incident response process.
HOW TO MITIGATE THE RISK
Make sure your company has incident response plans that designate internal or external counsel as being responsible for directing incident response efforts and engaging all third-party vendors. Using outside counsel that specializes in incident response has the added benefit of bolstering privilege claims and lending additional expertise.
While there will always be unique legal risks associated with information security, the good news is that with some advanced planning you can mitigate these and better protect your company, its data and the customers you serve.
