It is not “if” but “when” your client will be the victim of a data breach. But despite the growing risks and many high-profile breaches, there are still businesses that are woefully underprepared. Here’s how you can help your clients mitigate risk associated with data breaches well before an incident occurs.
California law requires businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect personal information from unauthorized access, destruction, use, modification, or disclosure.” CC §1798.81.5(b).
Here’s what you can do to help your clients meet these requirements and avoid a dreaded data breach:
- Advise directors and executives on cybersecurity oversight. You can help directors and executives understand how to comply with their fiduciary responsibilities in the realm of cybersecurity. Advise the board and executives on the evaluation, selection, and implementation of appropriate cybersecurity oversight mechanisms, review any existing cybersecurity oversight mechanisms, analyze the gap between current policies and best practices, and help them establish other mechanisms to develop a comprehensive enterprise risk-management program.
- Set up annual security and privacy training programs. Although organizational preparation for a data breach may start at the top with management oversight, adequate preparation for a breach requires a holistic view that should also involve bottom-up efforts to train personnel and instill a culture of security at the organization. People, not technology, remain one of the most commonly exploited cyber vulnerabilities.
- Identify data risks. Because an organization’s data passes through many hands, you need to understand the organization’s assets and data, including the location of sensitive data, its transmission routes and destinations, the risks to which the data is subject, and the controls required to protect data as it flows within and outside of the organization.
- Conduct due diligence review of vendors. Before contracting, make sure that your client understands a vendor’s cybersecurity practices; review the vendor’s data security-related policies, procedures, and other controls, and help your client evaluate whether the vendor’s policies and procedures are consistent with the client’s requirements.
- Develop and test an incident response plan. Hold a dry-run exercise by selecting a hypothetical scenario to run through with all key players in the data breach response, including the internal incident response team and third parties such as outside privacy counsel and forensic specialist firms. Document the response plan and maintain a roster of participants in the exercise. Review the plan annually and update it as necessary.
- Review client’s cyber insurance. Cyber insurance plays a key role in an organization’s overall strategy to mitigate risks related to data incidents. Traditional insurance policies have come to include limitations and exclusions to coverage that may preclude recovery in the event of a data incident. Identify coverage gaps that may be important to address given the nature of your client’s business.
This expert advice is from Once More Unto the Breach: How Counsel Should Help Clients Prepare for and Respond to Data Incidents by Sharon R. Klein and Alex C. Nisenbaum in the Spring 2016 issue of CEB’s California Business Law Practitioner. The article includes much more on an organization’s legal responsibilities with respect to cyber risk, how legal counsel can better prepare clients to mitigate risks before and during a data incident, and the legal obligations and issues that counsel must address with a client in navigating a data breach.
For more on the legal landscape of cybersecurity generally, turn to CEB’s Internet Law and Practice in California, chap 18. On cyber insurance coverage, check out CEB’s California Property Insurance: Law and Litigation §§17.66-17.68.
Related CEBblog™ posts:
© The Regents of the University of California, 2016. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.