The fact that data breaches are becoming a routine occurrence in the life of a business is no surprise considering the drastic increase over recent years in the volume of data that companies maintain. While routine, breaches are nonetheless an extremely costly part of doing business. According to a 2014 research report by the Ponemon Institute, the average cost of post-breach activities is $1.6 million, with the average cost of lost business an astounding $3.2 million. Since some form of a data breach incident is highly likely, one solid defense is to create a written information security program (WISP). However, a WISP must be more than mere words on paper. In order to create an effective program, a company must comply with its WISP, in conjunction with other measures. And the company’s compliance efforts should be led by top executives in order to underscore the importance of the security issues involved.
Implementing a WISP can work to avoid a breach by identifying potential security failures before they occur. The act of preparing a WISP will require your company to analyze its existing practices and the types of breaches that are likely to occur, thus highlighting areas for improvement and prevention. A WISP also can minimize liability in the event of a breach by establishing beforehand a specific procedure to be followed and by demonstrating that your company attempted to protect its data and comply with applicable data security laws. In particular, regulatory agencies and state attorneys general often examine a WISP as an indicator that a company took reasonable steps to ensure data security.
Not only is a WISP a valuable safeguard, it also may be required by state law or administrative regulation. In 2010, Massachusetts became the first state to pass a data security regulation (Mass. Regs. Code Tit. 201 § 17.00) requiring organizations to adopt a comprehensive WISP. Other states have followed suit and enacted security procedures laws.
Failure to have a WISP in place, and to follow it, can have real consequences. For example, the Massachusetts attorney general’s office has brought several enforcement actions in the wake of data breaches and imposed monetary penalties on companies, often in the six-figure range, for failing to comply with the state’s data security regulation, including for failing to maintain and comply with a WISP. In 2012, Massachusetts’ South Shore Hospital paid $750,000 to settle an enforcement action surrounding its failure to protect the personal health information of 800,000 customers when the hospital shipped unencrypted backup tapes containing protected health information to a vendor but failed to take steps to ensure its vendor maintained sufficient security safeguards. While South Shore had a WISP in place at the time of the breach, it was seemingly deficient as South Shore subsequently revised it to include new procedures relating to data encryption and employee training.
Similarly, Belmont Savings Bank was the subject of an enforcement action after suffering a data breach when a backup tape containing customer data was discarded in a manner that failed to comply with its own WISP. However, Belmont subsequently took significant steps to address the security lapse, including revising its WISP and destroying all stale data. Its actions in this regard surely contributed to the fact that it was required to pay a modest civil penalty of only $7,500.
To provide the most value in defending against a breach and against liability, a WISP should address the spectrum of security aspects of your organization, including:
- The types of information and systems that exist.
- The owners of data.
- The security restrictions and controls in place.
- Procedures for monitoring systems for unauthorized use or breach.
- A protocol for the timely disposition of data past the end of useful life.
- Security policies for employees.
- Security issues relating to third-party service providers.
- Persons responsible for implementing the program.
An incident response plan that defines a clear procedure and core team of individuals responsible for addressing any breach.
Because drafting a WISP requires due diligence and consideration of many factors, the six steps outlined below will help guide your organization through the process:
1. Assess the categories of data your organization collects and maintains: Begin by identifying the data your business holds. Pay particular attention to any customer information, such as personally identifiable information (PII), and financial or other sensitive personal information. Examine the purpose of the data and how long the company needs the information, which will help focus your priorities on the information critical to operations. Keep in mind that the longer a company retains PII, the greater the number of consumers potentially impacted. Understand where and how data is retained, directly or through third- party providers.
2. Assess existing security practices and identify reasonably foreseeable risks: Examine the security measures your organization uses for various types of data. Consider restrictions on highly sensitive information and the individuals who are permitted access. Assess existing employee-related policies that may impact information security. After weaknesses have been detected, analyze your company’s operational environment to identify the likely impact a cybersecurity incident might have on operations and the potential cost to the company’s bottom line. Identifying vulnerabilities and considering fallout from a breach will help your company establish clear goals for protecting data.
3. Involve all information stakeholders, and demonstrate the importance of data security to employees: Include persons from key groups across the organization (e.g., IT, legal, regulatory and records management) when creating a WISP to ensure a unified approach and that proposed security measures do not adversely impact a segment of the business. Individuals at varying levels within the organization also should be involved. Clearly communicate the organization’s new or updated security policy to all employees. Establish a protocol for educating employees about data collection and retention, use of technology and breach procedures, and ensure that employees receive adequate and documented training regarding data security.
4. Evaluate relationships with third-party service providers: In addition to being a best practice, certain regulations, like those in Massachusetts, require that a WISP address security practices of third-party service providers. Similarly, government contractors should evaluate the cybersecurity risks of any subcontractors, since government agencies may expect contractors to influence practices of downstream suppliers, especially in light of the “Framework for Improving Critical Infrastructure Cybersecurity,” released by the National Institute for Standards and Technology in February 2014. Conduct data security due diligence on your providers, inform them of your cybersecurity policies and contractually specify the standard of care that each must meet.
5. Establish an incident response and recovery plan: A comprehensive WISP should establish a plan for responding to a data breach. The plan should identify a specific incident response team led by a member of senior leadership with decision-making authority and access to a company’s board of directors, and also include employees with relevant skills (technology and otherwise) who are assigned clear responsibilities in advance. Involve public relations and consider how a breach will be communicated to key audiences. Establish a customer care team that is trained in advance on addressing customer concerns. Have a template incident notification letter prepared that can be modified to fit the particulars of any breach. Finally and critically, test the plan as though an actual breach has occurred in order to identify areas for improvement.
6. Continue to review and update security policy: Since operations and technology are subject to significant and repeated change, a WISP should be viewed as adaptive and updated on a regular basis. Review the plan quarterly, but at the very least conduct an assessment annually and in the face of a material change in the business.
Drafting a WISP may appear to be a daunting undertaking; however, the steps discussed in this article can serve as a useful guide for implementing an important precautionary tool. A WISP, in combination with other preventative cybersecurity measures, can protect your company against cybersecurity threats and ensure it is well situated to minimize liability in the event of a security incident.
Mark Mermelstein is a partner in Orrick, Herrington & Sutcliffe’s Los Angeles office and serves as co-head of the firm’s cybersecurity and data privacy group. Diana Szego is an intellectual property senior associate in the firm’s office in Washington, D.C.
Reprinted with permission from the May 19, 2015 edition of Corporate Counsel
© 2015 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 - [email protected]
or visit www.almreprints.com