Cybersecurity and Privacy Protection: the Barbarians are at the Gate
- The general message to businesses from executives of the U.S. Attorney, U.S. Secret Service, U.S. Health & Human Services, FBI, FCC, FTC, FINRA, and Ohio Attorney General (speaking in their personal capacities, not as representatives of their organizations, of course) was that the barbarians are at the gate, and you must protect yourselves. The message from the insurance industry was that you are not too small to be a target, the best defense is a great offense, and your own employees pose the greatest risk. Bitcoin ransom demands are real.
- Buying cyber-risk insurance is the last step, not the first step, in protecting the business. The insurer is going to want to know: what is your risk management process, and how are you implementing it?
- Where do you even begin to develop a risk management process? With your own employees. They know what data you have, where it is, in what format it is stored, and how it flows out. Until you know what you have, you can’t begin to assess risks.
- Select your risk management and incident response team members, now. If someone shouts “Better Call Saul,” you want to have Saul’s number on speed dial. Or preferably the number of an attorney who actually works in this area of law.
- No employee wants to be the person who opened the gate for the barbarians. Be smart and be kind: create the right culture, and provide ongoing training.
- A lot of HIPAA breaches are occurring. Unencrypted laptops are still getting stolen.
- Business associates pose a significant HIPAA breach risk. Do you maintain a health care plan, which is a HIPAA “covered entity?” Do you have business associates, or are you a business associate?
- Risk management is not set and forget. Ongoing diligence and documentation of compliance are critical.
- Establish and follow a document retention policy, including destroying documentation when you say you will, but know when a “litigation hold” prohibits such destruction.
- No employee wants to be the person who threw gasoline on the grease fire. When an incident occurs and employees are under duress, they can make matters much worse with their panicked responses, such as creating discoverable email trails and contacting the wrong people first. Ongoing training and fire drills are key.
Kudos to my alma mater, Professors Brian Ray and Candice Hoke, and students including Elissa Leonard Arko (who will be joining Tucker Ellis soon), for putting together a great conference.
Category: Cybersecurity – EB/ERISA