Imagine. You wake up bright and early to get a jumpstart on the day. You flip on the TV and staring you in the face is the news every lawyer dreads. Your company has fallen prey to a data security breach. You pinch yourself only to realize you are not dreaming. You’re in the midst of a living nightmare.
It’s a scenario we all want to avoid. Fortunately, there are steps you can take to help keep your company safe in a time when it seems none are.
Volumes of companies are falling prey to data security breaches
In 2013, the number of recorded data security breaches rose 30 percent from 2012, according to the Identity Theft Resource Center. In the first quarter of 2014 alone, the same organization identified 204 breaches for a loss of 4,238,983 records related to sensitive personal information. No company, no industry, is safe.
Household brands ranging from Coke and Home Depot to P.F. Chang’s and Snapchat all succumbed to breaches earlier this year. If you don’t have a plan, you will likely find your company making the headlines as well.
How in-house counsel can help safeguard your company’s data
Whether you are the general counsel or staff counsel, at every level in a legal department, the matter of data security should be on your mind. Any legal role you play in an organization will impact or involve data on some level. Here are six steps, as counsel, you can recommend your company take to protect against theft, hacking, and other causes of data security breaches:
1. Classify your data
Before you can determine how to protect data, you have to understand what data you are trying to protect. The company needs to conduct an internal audit on this. Find out what data resides within your company — and how valuable or sensitive it is. What information is super secure (i.e. corporate financial information), what’s a notch down (i.e. customer payment information), and what is sensitive (i.e. social security numbers)? Understanding what is public, internal, confidential, restricted, regulatory, or top secret, for example, will allow you to build appropriate levels of protection. Keep in mind, data comes in many forms: electronic, paper, pictures, etc.
2. Establish clear policies around how data is used
Once you have a handle on what kinds of information your company houses, you can begin to create policies around how it is used. This is no easy task, but it is a critical one.
Ask these preliminary questions: Where does the information live and how is it collected and accessed? When is it acceptable to share data and what does this process look like? What physical considerations are there? What data should never be transmitted or should always be encrypted? How is data discarded or destroyed? No matter how large or small your company is, security policies provide the framework for keeping your data — and your company — safe.
3. Identify who has access to data and then secure these touch points
The next key question is who has access to data. You need visibility into who has access to what information. The reality is, in business, not all roles are created equal. In other words, those in various positions within a company merit different levels of access, if any. You need to determine who has access to what levels of data and put controls in place where needed. The most important consideration is to establish who needs what and close any trap doors.
4. Engage the entire company
News flash: Data security is not an IT issue. It’s a company-wide concern. Perhaps there’s no better proof of this than the removal of Target’s CEO from leadership after the retailer’s extensive breach last year. Everyone from the CEO down plays a role in data security. As in-house counsel, you can get the right people talking and keep dialogue open and ongoing. Security rests on everyone’s shoulders. The right security practices at all levels can protect the company’s business from major losses and your company’s brand from an embarrassing blemish resulting from a publicized data breach.
5. Focus on external partners
In considering how to keep your company safe, you have to go a step further into relationships with third parties. You have to reach across all teams — and beyond company walls. The greatest risk of a security breach often lies outside the company. Be sure to include partners, vendors, affiliates and customers when it comes to creating and reinforcing your data security practices.
6. Enforce, review and update security policies on an ongoing basis
Having a policy is not enough; it must be a living plan. Communicate policies. Hold people accountable. Put controls in place. Revisit what’s working and what’s not. Clean up legacy relationships. Keep your policy current. Bottom line: constantly and consistently “mind the store.” Data security is an evolving landscape and these issues must be revisited regularly over time.
In the information age, every organization must be extra vigilant to ward off potential cyberattacks, leaks, and behavior of rogue employees. With information growing at an exponential rate, maintaining a high degree of data security seems like a long shot. It doesn’t have to be. As in-house counsel, you can help your organization prepare, take action, and step into a role as a key leader to keep your company and its data safe.