Highly publicized data breaches and newly enacted statutory and regulatory requirements (e.g., GDPR, CCPA and breach notification statutes in all 50 states) are focusing attention on data and information security risks and incident response preparedness.
Likewise, most (if not all) business transactions are now conducted using digital technology and electronic communications. The recognition that all organizations are vulnerable to numerous information risks has underscored the critical need to identify and manage these risks as part of an information security program.
A clear understanding of information risks and how various information security obligations apply to an organization require ongoing conversations between various business units and the chief information officer managing the company’s information technology systems.
These conversations are difficult when the novelty, complexity and evolving nature of computer technology tools create an ever-steeper learning curve. When technology is so new, there is often a lack of shared understanding between the business units and the CIO.
Below are several important issues to be discussed throughout the organization in trying to move toward an effective information security and governance program.
1. Show me our data
Has the company created a document or series of documents that maps information (visually and otherwise) and does the following:
(Where) Catalogs the locations where information is stored;
(What) Inventories information by type, topic, business unit, etc.;
(Who) Identifies those responsible for managing information; and
(Why) Classifies information by its sensitivity, usefulness or other measure of value.
If you don’t know what information you store, where and how you store it, and who and what is responsible for protecting that information, then you can’t quickly or effectively respond when information goes missing or is compromised. Especially now that every state requires some degree of protection for non-public personal information (NPI), an organization must identify the NPI for which it is responsible to protect it.
Understanding the “information environment” will serve the organization well if an incident occurs. This document is also useful for mapping the legal and regulatory obligations applicable to NPI and other sensitive information. Those organizations subject to litigation or other legal hold (the requirement to preserve certain documents and information) have learned quickly that an accurate data map makes the implementation and management of those holds a substantially less painful exercise.
2. What are the threats to our data?
Has the company acted in the last six months to identify and address vulnerabilities in its security program? Understand and communicate what information risks a company faces, such as the likelihood and potential damage associated with a data breach or other event that threatens critical systems. Articulate what measures are in place to assess and address these risks. Create a schedule to revisit or repeat assessments, penetration tests, or audits on an ongoing basis, mindful that technology tools and threats evolve.
3. Where’s our data going?
Determine what vendors will have access to NPI and other sensitive data. Make sure the organization has a written agreement with each such vendor addressing responsibility if an information incident occurs. Require vendors to implement and maintain data security controls, and to indemnify the organization if a data breach occurs.
4. How are we controlling access to data?
Ensure that the principle of least privilege -- an employee only has access to that data necessary for her to perform her job -- applies throughout the organization. Giving employees access to the organization’s NPI outside of their normal job function can create a potential information security threat. Use the data map and the way the organization has classified information to ensure that access is appropriately limited.
5. How do we protect the sensitive information we store and share?
When the organization stores sensitive information or sends that information outside the organization, are encryption technologies employed to secure that information? Does NPI travel outside the company while stored on a laptop computer or other portable computing or storage device or media? If so, then consider requiring that all such devices and media be encrypted. Likewise, if employees work remotely and have access to NPI, secure those remote connections with the company network. Encryption is rapidly becoming a “best practice,” and is considered a “safe harbor” under some breach notification statutes.
Conversations about information security risk can be uncomfortable, especially when so many other urgent issues fill the business day. However, in a world where business is conducted electronically, these risks are real and growing. Actively addressing information risk will position your organization not just for legal and regulatory compliance, but also for safer and more effective use of information assets.
David Katz is a partner at Adams and Reese. His practice encompasses privacy law and compliance, data security, data management and data governance, vendor management, corporate governance, crisis management, regulatory compliance and ethics. He can be reached at [email protected].
Jack Pringle, partner at Adams and Reese, counsels clients in matters relating to privacy, information security, information governance, administrative and regulatory law, public utilities, securities, and class action litigation. He can be reached at [email protected].