Asking how to protect data is similar to asking “which is the best lock?”.
Typically, a variety of security measures are recommended to create layers of protection. The first step in protecting data is identifying your assets and vulnerabilities. Begin by listing which technology your company already uses, how it is used and the goals technology strives to achieve. A few starting questions include the following:
- Does the company use the cloud?
- Who is the cloud service provider? What is in the SLA?
- Does the company permit BYOD (bring your own device)?
- Who has access to company’s information? Who needs access and does everyone need equal access?
- Does the company use encryption?
- Does the company use passwords?
- What type of information does the company handle (i.e. regulated)?
- What does the company need technology to do? Is status quo working to achieve the company’s goals?
Once you’ve answered questions like those listed above, you are ready to begin proactive protection.
There are many products and services that can address your needs. It takes time and research, but if you have narrowed down a list of needs, it should be easier to shop for the appropriate tools. The person making these lists and evaluating the needs of the company are the people with decision making authority. If your company has a board, the discussion begins at the board level. Ultimately, the board could be liable for failing to consider cyber protections.
Are we safe yet?
Data protection will be constant, requiring regular monitoring and tweaking as risks shift and evolve. There must be a system in place for detecting a breach. Despite having proactive, preventative safeguards in place, the risk of a breach still exists. By implementing preventative safeguards, you help lesson the severity of a breach. To help protect against liability, it is helpful to have taken reasonable steps to mitigate or avoid a breach in the first place. A few options for monitoring include:
- Inhouse technology team to monitor changes in legislation and risk
- Outside experts perform routine audits to monitor the protections
- Software to identify threats
- A tech expert on the board
Ultimately, business owners or the board will be responsible for either managing the risk or allocating the duty elsewhere to an individual or to a special department. A failure to even consider these risks could result in director and officer liability.
Is all a wasted effort in the event of a breach?
A breach is possible regardless of the proactive steps taken by the company. [Insert your favorite lesson about how life is not always fair.] However, your proactive steps could lesson the blow. If you have taken reasonable steps in implementing security measures, you may have met your responsibilities and could avoid liability.
Coping with a breach.
The occurrence of a breach is not a game-ender. You can recover. First, you must have a procedure in place to handle a breach. The following are areas that should be included in a comprehensive breach reaction plan.
- Detection of the breach
- Accessing damage
- Disclosure of the breach
- Cybersecurity liability insurance
Included in the details of your company policy should be who you call and when you call them. Your company attorney should be among those at the top of the call list.
- Business decision-makers should pay attention to how technology is used in the company and know what protections are in place. The decision-makers should regularly evaluate these protections and implement necessary changes.
- Regularly conduct routine risk assessments. Keep track of the technology being used and the data involved.
- Regularly monitor for a breach and have an action plan.
- The action plan must include a procedure for mandated disclosures.
- Keep current on state and federal laws regarding technology use. Regularly educate your employees and board members on current policy and procedures.
- Keep looking forward.