Privacy concerns will continue to be a major business risk in 2016—after massive data breaches have taken place annually for several consecutive years.
Brian McGinnis, an attorney at Barnes & Thornburg, recalls how every recent year has seen very large, well-publicized data breaches, as well as smaller cybersecurity incidents.
“It's really something companies need to be paying attention to,” McGinnis says about privacy and security risks. “All companies are targets.”
Because breaches and hacks will continue, the best businesses can often do is to prepare and be ready to bounce back after an incident.
Internally, that means having a team in place that handles privacy and security issues. It should have representatives from different parts of the company—not just IT staff. Also, the business needs to have someone responsible for privacy and security. Many companies now have a chief privacy officer.
“There should be a designated individual responsible for evaluating and addressing privacy concerns,” advises Amanda Gratchner, global privacy officer and senior counsel at Navex Global. “That individual should be involved in the development of any new products and services to evaluate whether any privacy considerations exist. This approach is generally referred to as ‘Privacy by Design,’ since it incorporates privacy into the product development lifecycle, rather than performing a privacy evaluation after the product is fully developed.”
Part of the external preparation is to have legal counsel, specialized IT consultants, as well as forensic technology and public relations firms already in place—before a company experiences a breach.
“Know who you are going to call and what you are going to do,” McGinnis advises general counsel and their companies. For instance, remember to call an attorney quickly after a breach to get attorney-client privilege in place. The lawyer also can advise the company about reaching out to the Federal Trade Commission (FTC), other regulators or to attorneys general—who may want to investigate these incidents.
In fact, McGinnis says regulators like to have existing relationships with organizations ahead of any incident. McGinnis has heard FBI officials say, by the time a company learns about a breach, “we already knew about it.”
McGinnis recognizes that some companies have a fear that regulators will find out the business did a “bad thing.” But often it “pays to work with” regulators, McGinnis says, by “opening the dialogue.”
Steven Roosa, an attorney at Holland & Knight, agrees that regulators like the FTC or the Federal Communications Commission will continue to address privacy and data security issues. The U.S. Court of Appeals for the Third Circuit recently sided with the FTC in FTC v. Wyndham Worldwide Corp., and validated the “FTC's authority to pursue investigations of poor privacy as an unfair or deceptive practice,” says Bruce Heiman, an attorney at K&L Gates.
As a result of this ruling, he advises it now “behooves companies to review the FTC's cases to determine what the agency is requiring by way of a reasonable and appropriate cybersecurity plans and practices.”
Preparation is key. “There is certainly an expectation, both in the US and internationally, that the government and regulators want to see organizations make a good faith effort to protect the information in their possession and validate the measures they have put in place,” Gratchner says. “This validation can take the form of internal assessments or third party assessments. These assessments should help ensure that an organization is in compliance with its own stated policies, as well as with all applicable laws. Organizations that can demonstrate they have made an effort to assess their compliance may see lower fines than their counterparts who simply ignored or ‘checked the box’ with regard to their privacy compliance.”
A key part of internal preparations for cyber incidents is the need to be proactive and continually review protocols and policies as technology and government regulations change.
McGinnis says every business needs a written information security program. He says it addresses such questions as: How do we store sensitive data? How do we treat sensitive information? Do we give important data higher security? What data is the company collecting? Where does it come from? Does the benefit from having the data justify the risk for storing the information? How is data collected and transferred?
Here is a practical example of how companies can reduce privacy risk. Some businesses identify customers by Social Security numbers. But instead, they should assign customers ID numbers, so that the company does not have to store the Social Security numbers and run the risk of them getting compromised during a breach.
Another example is to be wary about collecting too much data. Gratchner says organizations often collect more sensitive data than they need. “Generally speaking … only collect the amount and type of personal data necessary to perform the service or function for which they were engaged,” she says.
Another part of an information security program is an incident response plan. That is kept in a computer file or as a hard copy in a binder. It explains what to do if a cyber incident takes place. It will address such topics as how to avoid the destruction of evidence, how to involve counsel early in the process, or how to ensure attorney-client privilege.
Communications among different company departments needs to be a goal, too, to reduce risks. Barriers between legal staff and other departments should be broken down. For instance, attorneys need to be involved in discussions at the conceptual and design phase of new products or when entering new markets, Roosa says.
As the Internet of Things (IoT), with its use of machine to machine communications, becomes increasingly popular, there are many concerns about sensitive data there, as well. For example, wearable technology may collect sensitive health-related data. Roosa also points out that many household devices may become part of the IoT. Managing their privacy and security risks may be hard to get one's “arms around,” he says. It could be hard to patch systems or even quantify risk, he adds.
Moreover, there are some special concerns at the board level. The general counsel needs to make sure top officials in the C-Suite understand the risk to the company and, potentially, to each of them personally.
“Directors and Officer (D&O) Insurance may not be the ultimate safety net that many think that it is,” Norma Krayem, a senior policy advisor at Holland & Knight, says. “At the end of the day, the risk has to be managed at the general counsel and C-Suite level.”
It is important that there is buy-in for cybersecurity precautions at the board level, too. The board needs to show the company as a whole is addressing the issue.
For instance, one of the steps should involve the training of employees regarding phishing emails. They need to know how to spot them and not to click on them.
It is also useful to have practice drills as part of training sessions. “Employees are the first line of defense for businesses,” McGinnis says.
In fact, often they are the first ones to find out about breaches. They may suddenly see they have access to a drive for no apparent reason and it has nothing to do with their job. Give them the same words of advice used to prevent terrorism—“if you see something, say something.”
If companies hold tabletop exercises as part of the training, Roosa recommends to involve attorneys so there is attorney-client privilege, especially if troublesome practices are revealed. He explains that this way it does not turn out to be “Exhibit A” in some kind of lawsuit.
From a wider outlook, Gratchner says that employee training should identify:
Risks to the business (both financial and reputational) posed by sharing confidential or personal information and other secret data.
Laws applicable to the business and the employee's obligations in complying with the laws.
Real-world examples of what can happen when information is not kept confidential.
Employees should also be trained on the organization's approach to privacy and its policy on sharing the information that it collects.
Moreover, she says education of employees coupled with technical and physical safeguards are the best ways to ensure protection of information.
“This includes protecting consumer information through the use of technological tools like encryption and firewalls, as well as organizational measures such as limiting employee access to personal data,” Gratchner says. “The only employees who should have access to personal data are those who need the data to perform their job function.”
Also, hotlines are a good way to get anonymous reports from employees. The information collected should go to the general counsel or some other appropriate person. Without such a process, many employees may be fearful they will get fired if they had a role an incident and instead remain silent, McGinnis says.
Another concern relates to the instinct of IT staff. If there is a breach, IT staff may want to “fix the problem.” Be forewarned. “They call it ‘fixing the problem’,” McGinnnis said. “We call it destroying evidence.”
One good way to avoid this from happening is to make an early contact with an outside forensics IT firm. They can do an investigation, but know enough so they do not destroy evidence, McGinnis says.
Moreover, there are special risks for companies when they are in the process of acquiring other businesses. “General counsel need to review [M&A related] agreements with an eye toward privacy and security,” McGinnis says. When mergers and acquisitions take place, the acquiring company is also merging with the “culture of that company,” McGinnis says. That means getting them up to speed on privacy and security issues.
When looking at contracts or other business agreements, too, attorneys need to keep watch on such issues as limitation of liability or indemnity. Review new contracts from a privacy and security prospective, McGinnis advises.
It is also vital for companies to protect their intellectual property portfolio. So, for instance, do not store it in a Dropbox folder, McGinnis says. He also recommends including in a policy what can be stored in the cloud.
What companies find is that in most sectors, there are a “patchwork” of standards or practices in the United States when it comes to responses to breaches. For example, there is not a single standard on breach notifications—for most industries—because there are 47 different state laws.
More regulations are likely from other nations, too. In December, Gratchner said the EU was to soon issue a data protection law, and it “will dramatically shift the privacy landscape for those organizations with operations in the EU and for organizations doing business with EU consumers.”
The transfer of data between the United States and Europe is a concern, now, too after a European court invalidated the earlier Safe Harbor provision. A new rule was being negotiated in December.
So when looking at 2016 remember to keep privacy issues on the front burner.
“Privacy issues and data security/cybersecurity risks can no longer be relegated to some corner of the corporation any longer,” Krayem says. “…Security issues have to be paramount concerns.”