How Cybersecurity Fits into Your Compliance and Ethics Program
Wednesday, May 19, 2021
cybersecurity topics
Print Mail Download i

Cybersecurity wasn’t necessarily a significant issue for in-house counsel 10-15 years ago. But now, companies have so many more obligations regarding information security and data privacy than they did even a decade ago. Initially, cybersecurity was an issue primarily for regulated companies. Then, companies with widespread consumer contact found themselves having to meet greater regulatory burdens. Today, though, cybersecurity is an issue for virtually every company, and it is important those efforts fit into a corporate compliance and ethics program.

Mapping Your Data to Your Obligations

  • Who requires special treatment of certain business information?

    • State and federal laws.

    • International privacy rules (GDPR, etc.)

    • Regulatory authorities. 

    • Business and government contracts—Companies/governments require contractors to meet certain privacy standards in agreements.

    • Litigation/investigation holds and requirements.

    • Trade secrets—If you can’t protect your own trade secrets, the state isn’t going to recognize those IP rights.

  • You must find what information you have and how it matches with your obligations & requirements. Not everything you have must be treated the same way.

  • Identify who has access to your data & where it is stored.

In-House Considerations

  • Is your industry regulated? And who are those regulators? What do they expect of us?

  • Do you take payments? If so, the info around those payments must be protected. Also industry regs for credit card payments. Smaller companies may want to consider a third-party payment processor.

  • Do you offer a health plan? If so, you may fall under HIPAA.

  • Does your business interact with children? Specific laws deal with children’s privacy. 

What Type of Data to Identify?

  • Personal Health Information (PHI). But only certain information collected in specific circumstances. Ex: a DNA swab sent to a family ancestry tracking website isn’t protected in the same way as the same swab collected by a physician.

  • Personal Credit Information (PCI).

  • Personally Identifiable Information (PII) of consumers. May or may not be protected in U.S., depending in part on usage. A privacy policy should accurately describe how data is used.

  • Customer and price lists.

  • Salary and compensation information.

  • Client or customer account information.

  • Trade secrets and intellectual property.

  • Data stored in a prohibited jurisdiction (i.e. data subject to European Union data protection laws stored in the United States).

  • Content subject to legal hold/ regulatory retention obligations.

Data Disposal Laws

  • Approximately 2/3 of states have data disposal laws.

  • Data holders must take “reasonable measures” to dispose of records w/ personal information at the appropriate time.

  • Disposal means shredding (paper), erasing, or modifying records to make them unreadable or undecipherable. “PI” is name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state ID card number, insurance policy number, education, employment, employment history, bank account number, credit/debit card number, or any other financial information, medical information, or health insurance information.

50-State Breach Notice Laws

  • Do you carry personalized data? (ID + Account).

  • Do you have a contingency plan for data recovery?

  • Who is on your strike team? Identify key job titles who will be pulled into an incident response. Figure this out before an incident happens.

  • Have you retained outside forensic/legal counsel? 

  • Are you insured? Cyberinsurance has vastly improved in recent years. You can choose to use your own lawyer w/ insurance company.

Data Security Standards

  • Reasonableness for current technology/sophistication of organization. This constantly changes, and varies greatly from business to business. So a company’s standards must constantly evolve—technology and risks are ever-changing.

  • Include policies, procedures, training, technology.

  • FTC/SEC focus on security as an operational function.

  • FTC also concerned with disaster recovery/contingency planning. This planning is critical.

In-House Considerations

  • No such thing as absolute security.
  • Need a written data security policy for some states.
  • Document, document, document. 
  • Show you were reasonable.
  • Get a third-party assessment to ensure your security plan is reasonable.
  • There will always be a queue for security needs– be careful about documenting security wish lists.
  • Data Map—What do you hold? Who manages this data? Who can access this data? Where is it held?
  • Where is sensitive data likely to be held?
    • Sales/Marketing/Customer Service
    • HR
    • R&D

In-House Considerations: Policies

  • Contingency planning/disaster recovery/data breach.

  • Data life cycle/retention/destruction. Don’t keep sensitive data any longer than you have to.

  • Information access limitations. Only people who need access to sensitive information should have it.

  • Meeting reasonable data security standards.

  • Data contracting policies with vendors.

  • SaaS contracts: fixed-cost data return. Make sure you can get your data back from vendors. Include a data security addendum, as well as injunctive relief and painful liability limitations.

  • Acceptable promises to customers.

  • Don’t agree to it if you aren’t doing it.

  • Understand regulatory requirements. 

“The Brief” provides Compliance and Ethics Network members with a brief overview of highlights and key points covered in the monthly Legal Quick Hit. The full recording of this presentation can be found on the ACC website

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.

Current Legal Analysis

More from Womble Bond Dickinson (US) LLP

USPTO Proposes New PTAB Practices in Latest Notice of Proposed Rulemaking
by: Alexander P. Wharton
United Nations Unanimously Adopts the First Resolution on Promoting Safe, Secure, and Trustworthy Artificial Intelligence
by: Seiko Okada, M.D., Ph.D. , Dr. Christian E. Mammen
Permitting Reform and Responsible Mining: Q&A with IRMA’s Kristi Disney Bruckner
by: Scot Anderson
What We Are Listening for in House Education and Workforce Hearing on Columbia University’s Response to Antisemitism
by: Kristina M. Moore , Joe D. Whitley
The EU Artificial Intelligence (Al) Act: A Pioneering Framework for AI Governance
by: G. David Carter , Katie Hyman CIPP/E, CIPP/US, CIPM
For All Patent/Trademark Practitioners: USPTO Provides Guidance for Use of AI in Preparing USPTO Submissions
by: Seiko Okada, M.D., Ph.D. , Samuel A. Savanich
Increasing Volume of Pro Se, Frequent Litigants, and Pre-Litigation Demands & Arbitration Claims in Financial Services Litigation and Compliance [Podcast]
by: Shelton Sterling Laney III , Tomio Narita
Lighting the Way: ITC Decides First Case Under the Interim ID Program, Holds Domestic Industry Cannot Be Shown with Aggregated Investments in Multiple Products Covered by Different Patents
by: Daniel M. Grigore , Andrew Beverina
Window Shade Bracket Design is Not Protectable Trade Dress
by: Jason M. Rockman , Jacob S. Wharton
Permitting Reform in the United States
by: Wayne M. Chancellor , D. Scott Anderson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins