Posted in NH Bar News Supplement – NH Solo and Small Bar Law Firm Cybersecurity Guide – May 2021
A breach occurs. It is an inevitable fact of life. All companies will experience defaults – it’s not a question of whether, but when. Certainly, companies should prepare by taking security measures to prevent non-compliance, which often limits the impact of non-compliance when it occurs. However, companies can and should be prepared with strategies to mitigate infringements when they occur.
Some security measures limit the impact of non-compliance
Incorporating cybersecurity safeguards into operations is now a key technique to limit the impact of non-compliance. All companies should work with cybersecurity consultants and an external technology professional to conduct a comprehensive information security risk assessment. One aspect of this process, of course, is to identify cybersecurity risks in the company’s operations that may allow non-compliance to occur and then implement measures to address these vulnerabilities. Another aspect of the assessment is to ensure that the company has the appropriate safeguards to limit the impact of non-compliance when it occurs.
For example, right now ransomware poses the most important threat to businesses. It is so prevalent and sophisticated that it is virtually impossible to avoid it. Three measures are vital to limit the impact of a ransomware infringement when it occurs: (i) advanced activity-based threat detection, beyond traditional antivirus / antimalware; (ii) error migration redundancy or open backups in the air; and (iii) robust access and activity logging.
Traditional antiviruses use a blacklist to stop known malware when it activates. It does not protect against sophisticated ransomware. Hackers easily circumvent it by constantly creating new ransomware mutations. In contrast, there is more advanced protection software that detects the type of activity inherent in ransomware and disables servers and computers before the ransomware encrypts the entire system or exports large amounts of data.
Once the ransomware is stopped, if a company has a redundant error migration system, it can transit operations to that system, usually with only a few hours of downtime. Alternatively, if a company has backups disconnected from its network and therefore unaffected by ransomware (called air-gapped), it can restore its network from those backups. This usually takes a few days. However, a company that does not have these protections may not be able to return to operations for weeks or more and may ultimately have to pay the ransom to obtain the decryption key.
Finally, if a company has configured log files on its firewalls, servers, and computers to collect solid amounts of data about network access and activity, forensic experts can analyze that data to determine if hackers go access or export data and, if so, the scope of this activity. Without these robust records, companies often have to assume that all of their information was compromised, which resulted in widespread, costly, and harmful notification to people affected by the infringement and regulators.
Implementing these three measures before ransomware comes out often means the difference between a manageable business problem and a catastrophe.
Fast and planned response is key
Minutes are important when responding to an infraction. Stopping a raid on a computer, user, or server is dramatically better than a system-wide violation. But haste causes mistakes, especially if the response is not directed and executed by experienced professionals. A non-compliance team consists of a cybersecurity advisor, a forensic expert, the cybersecurity insurance operator, and business leaders. Companies should have their response teams identified and test a written incident response plan before a breach occurs.
When an infringement occurs, the organization’s technology personnel are quick to resolve the damage and restore the system as quickly as possible, and may even have an interest in hiding the cause of the infringement. Doing so often results in the destruction, accidental or not, of vital data for the response, such as log files and forensic evidence on the identity of hackers, the cause of the breach, and the extent of access to information. or stolen. While the organization’s IT staff is critical to responding to noncompliance, technology restoration must be directed and often performed by an independent forensic expert.
Cybersecurity advisors are also a critical member of the response team. Non-compliance frequently leads to regulatory investigations. Ensuring advice to direct the response ensures that the privilege protects the team’s communications and work product, including potentially harmful evidence of the cause of the noncompliance and the measures implemented to remedy this situation. In addition, the lawyer coordinates coverage with the carrier, notifying those affected by the noncompliance, and communications with regulators required by law.
Non-compliance is not a crisis that business and IT leaders should try to manage themselves. It is more art than science. And, effective infringement management is the best way to avoid liability to the people affected by the infringement and to regulators.
Eliminate responsibility towards those affected
Companies can effectively limit or eliminate liability to people affected by non-compliance. The first impulse of some companies in an infringement is to hide the situation for fear of reputational damage or regulatory investigation. Still, honesty (along with good corporate citizenship) is the best policy.
Formerly, people were upset when they received notice of non-compliance with their personal information. But, society has become largely into these facts. Often, people are now more upset if they find out that a breach has occurred and the company has not informed them or delayed the notification. In fact, while no organization wants to fail to do so, companies with healthy relationships with their customers, suppliers, and other components can turn this problem into an opportunity to communicate effectively with those components and establish or reaffirm their trust in the organization providing the appropriate protections. for them.
Trust arises from transparency with people about the impact that non-compliance may have on them. In addition, companies that offer them credit and identity supervision and restoration services largely eliminate any claims for damages they may have against companies. In addition, if an organization has an adequate cyber liability policy, the costs of such tracking and restoration of credit and identity, as well as the other costs of responding and notifying non-compliance, should be covered by this. politics.
Beware of regulatory responsibility
While companies can effectively eliminate liability to individuals, they cannot do so with respect to regulators. For example, state laws require companies to notify each state attorney general of non-compliance with information from residents of that state, even if the companies are elsewhere. Not surprisingly, Massachusetts, New York and California are aggressively tracking these notifications with regulatory investigations, issuing significant fines and fines of hundreds of thousands of dollars, even against small and medium-sized businesses.
While one method of limiting regulatory liability is to provide adequate notice, as well as tracking and restoring credit and identity, to people affected by default, regulators also base fines and sanctions on whether companies have implemented reasonable information security guarantees prior to non-compliance. In fact, state laws in Massachusetts, New York, California, and elsewhere describe the extent to which companies must or must implement.
Many companies are unaware that they must comply with the laws of these other states on information security guarantees just because they have information about residents of these states. However, debating this point with regulators is ineffective. The best strategy is to take immediate action after the breach to comply with the applicable state laws and negotiate a reasonable resolution with the regulators.
Non-compliance is an inevitable fact, but it does not have to be catastrophic. Costs can be limited by conducting a risk assessment with qualified professionals, implementing appropriate safeguards before a breach occurs, having the right equipment to deal with the breach when it occurs, ensuring adequate cyber liability insurance, and be transparent and provide adequate protections for persons affected by the offense. Like any other business problem, non-compliance can be managed with proper preparation and planning.
Cam Shilling founds and chairs McLane Middleton’s privacy and information security practices group.
The content of this article is intended to provide general guidance on the subject. You need to seek specialized advice on your specific circumstances.