The frequency and size of data breaches and related litigation in the deadlines has heightened "cyber anxiety" in corporate America. The challenges for any company is to channel that anxiety into smart action that enhances security of personal information or other sensitive data without harming operations or the bottom line.
The frequency and size of data breaches and related litigation in the deadlines has heightened "cyber anxiety" in corporate America. The challenges for any company is to channel that anxiety into smart action that enhances security of personal information or other sensitive data without harming operations or the bottom line.
The frequency and size of data breaches and related litigation in the deadlines has heightened "cyber anxiety" in corporate America. The challenges for any company is to channel that anxiety into smart action that enhances security of personal information or other sensitive data without harming operations or the bottom line.
TL
Ee
ORANGE COUNTY BUSINESS JOURNAL
Effective Data Security Means Responsible Risk
Management. How is Your Company Doing?
“The requency and size of data reaches and rebated Higaton in the hadines has heightened
cyber ans" in coporte Ameria. The chalenge for any company isto chanel that
aneety into smart action that enhances security of persona information or otersensve
{ata without narming operations or te boiom Hine. Misperegton of risk fs one of he
biggest threats to succeeding inthis endeavor. It @ company fas to understand is risk
prof, erst impleent 2 poo ited secu program may ntoduce new wineabites
or unecessary inrere wit business operations. Here ae tree concen to kee inmind
to avoid succumbing to cyber amity
Data security begins and ends with your company's unique risk profile. The patho of
laws and regulations governing data secuny may create an urge to secure everhing 28,
‘ough it were persana er eter senstve infomation, a practice some cal oling the
togan” Ths uge must be rested. Data secuny |S another component of risk
rmanagemeat, and therefore requires defining te sks tobe managed, Taking the time to
understand what types of data your company colecs, how t makes such colectn, what
oes th tat at, and where dierent types of data resides incspensebe. Ideod in Ap
2016, te actin general counsel ofthe Feceal Trade Comission—te federal agency that
has ‘taken much of the enforcement acton relating to socurty of personal
Informaton—state: "You cant secure your formation unless you know wat you have.”
‘Knowing what you have i al of he aquation. The othe als understanding te aren
ways in which your operations pose risks to your data Te technical inovatons that have
Presented opportunites for new products, markets, and distribution channels are the same
‘ones tal ave dramatcal increased rik pales for companies of al sizes and across al
industry segments. With suppor rom experienced legal counsel and qualified cybersecurty
tapers, Be goa is to develop an acfonable roadmap for managing risk witout olin the
ove,
‘Atop down?” approach o data security is necessary and attainable. Execution oa deta
secur roadmap must be ile atthe Board level and overseen by the Board ora
Cecates commtee, Many reuators—ineudng the FTC and the Secutites and Exchange
CCommisson—ave made clear tat effective data secur requres an active mindset hat
stats with the Board and pervades every lve ofthe organiatin. As some recent cout
‘eeisions have shown, drectors ang offcers who donot havea record ofacwaly managing
tata securty may lose te proecton of te business judgment rue In shaeholger suts
axsng rom data breaches. However, these conrours to cyber any need nat be unduly
burensome,
Directors shoul, and can, balance tei data secuity responsi wth the cyto ensure
‘te company's operational and tnancil Hea. Indeed, the key for Board members snot
necessary to become cybersecutty expets, but to’ examine how cyber-elled nsks
conte to broader enterprise risks crving corporate governance. The most mpotant
conto at the outset frame and stat answering questions tha ar akeadyon their
minds: What could cause an etn event” for my company? What could impact he
ete indy? Wht dos te future look ia? What ype of data are mast significant 0
te business and how may they be vuneatie? Through colabraton with legal and
‘echnical expats the Board and senior management can begin to ideity height mc of dala
security conto tal minimize business interuntion,
Invest in data security controls that minimize both legal exposure and operational,
"frelon." An efecve data seculy poly wl, among othe things, clear identi roles and
responsbiltes of relevant people, including dectors, members of management, legal
‘course, employees, vendo and other contractors wih access to persona or aberwse
Senstivé dal, cybersecutly professionals, andin many cases, dedicated Chi Intormaton
Secutly Oficer. These viduals must combine to implement tree ormary types of
Contols: prevention, detection, and response. Prevention occurs when an action or conto
Drevents a risk before i affects users or te enveonment. Detection is Identifying the
Presence of something malcious that has aeady entered the envronment. Response isa
reacion. From a risk persecive, prevention focuses on minimizing verity andthe
penta fr harm, wile detection and response focus on minimizing damage.
Conraimplomentaton cane automated, semi-automated, manual or some combination of
ai tree. Audomted contol oceus entirely though machines. Sen-aulomated involves
Same level of human iferenton, Manual contals are managed enely by Nand. The
‘combination of conto types and automaton levels comprise the cals of he "9 Box” igure
below. Risk increases as we move from preverton to detection fo response, Costinceases
235 we move fom automated to semi-automated to manual controls
Stradling
sat Law
Pca
However, tere is third mension ote 9 Box: cal rion. Lke afore that causes
moving object to slow down, corrals can impose a “crag coeficient™ on business
velociy—tey can siow the user or a business process. But ths fico need not bean
Immutable force. A company can determine how moch contol ton to apply. Apply oo
‘much contol friction, and users may go around IT and its securty conto. Tis adds
cost The security eam lacks wy ino user “workarounds,” meaning iti ess ike
to prevert compromises, detection is eft. and in mary cases response ate he fact
becomes the any option, Ia business adheres to high-cton conoos, te fect canbe
to generate systemic business risk and hiner business veloc. The ganization may
lose time to market andthe aby to innova, and over the ong tem it may even lose
mmatet leadership. The size of a company’s potential “crap coeticient™ depends
‘gical on cut, which another eason that anyting resembling a “on sie ts
al approach to data secur is misguided.
9 Boxes of Control
‘Again, everthing begins and ends with 2 company’s nique risks. In implementing an
appropate data secur program, any company woud do wel to start by focusing onthe
folowing eas
+ Adopt good system “hyglene,*incuding an invertry of connected devices.
+ Use mutiacor authentication,
+ Use encryaton andor gts management for sensitiv data,
+ ole eral uncton,
+ Baclp cial ystems
+ Consider using the cloud fr relable and scalable secur,
+ Consiter a managed secunty sevice provider ane regular pentraton testing.
+ Consider adcng i-nouse or ouside lgal counsel with experence in privacy ana ata
securty complance an ligation,
+ onsite yber inswance
Maina an intemal data secuty poly implemented trough requar employee
‘education and tang.
‘Manta an incident response plan that canbe deployed quick an eter.
Make data security a regular agenda lem fr Board meetings.
es
Gane e (Bea) 7asig7 igus 7as-aarn
Stradling Yocca Carlson & Rauth, P.C.
(949) 725-4000 | SYCR.COM
Reprinted with the permission of the Orange County Business Journal