GUEST BLOG: Cybersecurity Compliance Just Got Tougher

21 April 2016 Internet, IT & e-Discovery Blog Blog
Authors: Peter Vogel

My Guest Blogger Nick Akerman learned about Cybercrime as a federal prosecutor where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental crimes and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski.  Dan Goldenberger is Nick’s partner at Dorsey.

Companies need specific, well-executed plans to meet growing demands of federal and state agencies.

By:  Nick Akerman and Dan Goldberger

While cybersecurity risks have increased, government regulation has traditionally  lagged behind.   Recently, some government  entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.

With this shift in emphasis, companies are asking the obvious questions:  “What are we expected to do and what is a proactive cybersecurity compliance program?”

Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection.   Late last year, the U.S. Securities and Exchange Commission’s Cybersecurity Examination Initiative directed broker-dealers to “further  assess cybersecurity preparedness in the securities industry.”  Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”

In January, the Financial Industry Regulatory Authority announced that in reviewing a securities firm’s approaches to cybersecurity risk management its examinations may include “governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training.”  On the state level, Massachusetts is the only state thus far to require all businesses that store personal data of its residents to secure that data through a compliance program modeled after the federal sentencing guidelines.

The framework under the federal sentencing guidelines is the gold standard for an effective compliance program.  Having expanded well beyond its original goal of detecting and preventing criminal activities, it is fast becoming the corporate framework to protect data.  These guidelines establish seven steps for companies to follow:  first, promulgate standards and procedures; second, establish high-level corporate oversight including the board of directors that must provide adequate funding  of the program in proportion to the size of the company and the risk; third, place responsibility with individuals who do not pose a risk for unethical behavior;  fourth, communicate the program to the entire workforce; fifth, conduct periodic audits of the effectiveness of the program; sixth consistently enforce the polices; seventh establish mechanisms for reporting violations.

COLLABORATION IS CRITICAL

Because a compliance program must be tailored to an organization’s culture, it is critical to its success that all data-protection stakeholders collaborate in its creation and daily operation.  This means that data compliance is not just an issue for information-technology security.  Other stakeholders include human resources and legal, which are responsible for company rules, employee agreements and training,  and may assist in responding to company data breaches; risk management, which may determine, along with legal, the adequacy of the company’s cyber insurance; and compliance, which is often the logical focus of the company’s data protection efforts.

Stakeholders in turn should focus on six areas of risk when developing a company-specific compliance program to minimize the risks posed by each area.

First, hiring is the time to explain to new employees the rules in place to protect the company’s data.  Additionally, companies must approach hiring defensively, ensuring new employees do not bring into the workplace data that belongs to a competitor that  can result in civil or criminal liability.

Second, company rules and policies should spell out what  employees can and cannot do with the company network and form the  foundation of top-to-bottom workforce training.  At least one court has recognized that such “explicit policies are nothing but security measures employers may implement to prevent individuals from doing things in an improper manner on the employer’s computer systems.”  (American Furukawa v. Hossain).

Third, agreements with employees and other third parties are a key component of data protection.  Employee agreements are an opportunity to reinforce the lack of an expectation of privacy in using company computers and define the scope of authorized  access.  When company data is outsourced to a cloud provider, agreements formalize the responsibilities of that third party to protect the company’s data.

Fourth, technology can be employed not only to secure data but to define who is authorized to access what portion of the network and provide admissible evidence of a breach.  Information-technology security, working with legal, can prepare mechanisms to capture audit trails in the network that can be used to identify the source and scope of a breach.

Fifth, effective termination procedures are critical.  This is when insiders are most likely to steal company data to use at their next  job.  This is also the last opportunity to remind departing employees of their post employment obligations to maintain the secrecy of company data, to return  all company data and for the company to inventory the data returned.

Finally, if a breach occurs, it is important to have protocols in place to quickly determine the scope of the breach and the appropriate response.  Companies must therefore have in place an overarching plan to investigate suspected  breaches and to mobilize internal and external resources.

For a data-compliance program to work consistently, it must be a collaborative effort among all stakeholders and comprehensively focus on mitigating the risks to the company’s data from multiple and unexpected sources.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Authors

Related Services