Cybersecurity wasn’t necessarily a significant issue for in-house counsel 10-15 years ago. But now, companies have so many more obligations regarding information security and data privacy than they did even a decade ago. Initially, cybersecurity was an issue primarily for regulated companies. Then, companies with widespread consumer contact found themselves having to meet greater regulatory burdens. Today, though, cybersecurity is an issue for virtually every company, and it is important those efforts fit into a corporate compliance and ethics program.
Mapping Your Data to Your Obligations
-
Who requires special treatment of certain business information?
-
State and federal laws.
-
International privacy rules (GDPR, etc.)
-
Regulatory authorities.
-
Business and government contracts—Companies/governments require contractors to meet certain privacy standards in agreements.
-
Litigation/investigation holds and requirements.
-
Trade secrets—If you can’t protect your own trade secrets, the state isn’t going to recognize those IP rights.
-
-
You must find what information you have and how it matches with your obligations & requirements. Not everything you have must be treated the same way.
-
Identify who has access to your data & where it is stored.
In-House Considerations
-
Is your industry regulated? And who are those regulators? What do they expect of us?
-
Do you take payments? If so, the info around those payments must be protected. Also industry regs for credit card payments. Smaller companies may want to consider a third-party payment processor.
-
Do you offer a health plan? If so, you may fall under HIPAA.
-
Does your business interact with children? Specific laws deal with children’s privacy.
What Type of Data to Identify?
-
Personal Health Information (PHI). But only certain information collected in specific circumstances. Ex: a DNA swab sent to a family ancestry tracking website isn’t protected in the same way as the same swab collected by a physician.
-
Personal Credit Information (PCI).
-
Personally Identifiable Information (PII) of consumers. May or may not be protected in U.S., depending in part on usage. A privacy policy should accurately describe how data is used.
-
Customer and price lists.
-
Salary and compensation information.
-
Client or customer account information.
-
Trade secrets and intellectual property.
-
Data stored in a prohibited jurisdiction (i.e. data subject to European Union data protection laws stored in the United States).
-
Content subject to legal hold/ regulatory retention obligations.
Data Disposal Laws
-
Approximately 2/3 of states have data disposal laws.
-
Data holders must take “reasonable measures” to dispose of records w/ personal information at the appropriate time.
-
Disposal means shredding (paper), erasing, or modifying records to make them unreadable or undecipherable. “PI” is name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state ID card number, insurance policy number, education, employment, employment history, bank account number, credit/debit card number, or any other financial information, medical information, or health insurance information.
50-State Breach Notice Laws
-
Do you carry personalized data? (ID + Account).
-
Do you have a contingency plan for data recovery?
-
Who is on your strike team? Identify key job titles who will be pulled into an incident response. Figure this out before an incident happens.
-
Have you retained outside forensic/legal counsel?
-
Are you insured? Cyberinsurance has vastly improved in recent years. You can choose to use your own lawyer w/ insurance company.
Data Security Standards
-
Reasonableness for current technology/sophistication of organization. This constantly changes, and varies greatly from business to business. So a company’s standards must constantly evolve—technology and risks are ever-changing.
-
Include policies, procedures, training, technology.
-
FTC/SEC focus on security as an operational function.
-
FTC also concerned with disaster recovery/contingency planning. This planning is critical.
In-House Considerations
- No such thing as absolute security.
- Need a written data security policy for some states.
- Document, document, document.
- Show you were reasonable.
- Get a third-party assessment to ensure your security plan is reasonable.
- There will always be a queue for security needs– be careful about documenting security wish lists.
- Data Map—What do you hold? Who manages this data? Who can access this data? Where is it held?
- Where is sensitive data likely to be held?
- Sales/Marketing/Customer Service
- HR
- R&D
In-House Considerations: Policies
-
Contingency planning/disaster recovery/data breach.
-
Data life cycle/retention/destruction. Don’t keep sensitive data any longer than you have to.
-
Information access limitations. Only people who need access to sensitive information should have it.
-
Meeting reasonable data security standards.
-
Data contracting policies with vendors.
-
SaaS contracts: fixed-cost data return. Make sure you can get your data back from vendors. Include a data security addendum, as well as injunctive relief and painful liability limitations.
-
Acceptable promises to customers.
-
Don’t agree to it if you aren’t doing it.
-
Understand regulatory requirements.
“The Brief” provides Compliance and Ethics Network members with a brief overview of highlights and key points covered in the monthly Legal Quick Hit. The full recording of this presentation can be found on the ACC website.