TL Ee ORANGE COUNTY BUSINESS JOURNAL Effective Data Security Means Responsible Risk Management. How is Your Company Doing? “The requency and size of data reaches and rebated Higaton in the hadines has heightened cyber ans" in coporte Ameria. The chalenge for any company isto chanel that aneety into smart action that enhances security of persona information or otersensve {ata without narming operations or te boiom Hine. Misperegton of risk fs one of he biggest threats to succeeding inthis endeavor. It @ company fas to understand is risk prof, erst impleent 2 poo ited secu program may ntoduce new wineabites or unecessary inrere wit business operations. Here ae tree concen to kee inmind to avoid succumbing to cyber amity Data security begins and ends with your company's unique risk profile. The patho of laws and regulations governing data secuny may create an urge to secure everhing 28, ‘ough it were persana er eter senstve infomation, a practice some cal oling the togan” Ths uge must be rested. Data secuny |S another component of risk rmanagemeat, and therefore requires defining te sks tobe managed, Taking the time to understand what types of data your company colecs, how t makes such colectn, what oes th tat at, and where dierent types of data resides incspensebe. Ideod in Ap 2016, te actin general counsel ofthe Feceal Trade Comission—te federal agency that has ‘taken much of the enforcement acton relating to socurty of personal Informaton—state: "You cant secure your formation unless you know wat you have.” ‘Knowing what you have i al of he aquation. The othe als understanding te aren ways in which your operations pose risks to your data Te technical inovatons that have Presented opportunites for new products, markets, and distribution channels are the same ‘ones tal ave dramatcal increased rik pales for companies of al sizes and across al industry segments. With suppor rom experienced legal counsel and qualified cybersecurty tapers, Be goa is to develop an acfonable roadmap for managing risk witout olin the ove, ‘Atop down?” approach o data security is necessary and attainable. Execution oa deta secur roadmap must be ile atthe Board level and overseen by the Board ora Cecates commtee, Many reuators—ineudng the FTC and the Secutites and Exchange CCommisson—ave made clear tat effective data secur requres an active mindset hat stats with the Board and pervades every lve ofthe organiatin. As some recent cout ‘eeisions have shown, drectors ang offcers who donot havea record ofacwaly managing tata securty may lose te proecton of te business judgment rue In shaeholger suts axsng rom data breaches. However, these conrours to cyber any need nat be unduly burensome, Directors shoul, and can, balance tei data secuity responsi wth the cyto ensure ‘te company's operational and tnancil Hea. Indeed, the key for Board members snot necessary to become cybersecutty expets, but to’ examine how cyber-elled nsks conte to broader enterprise risks crving corporate governance. The most mpotant conto at the outset frame and stat answering questions tha ar akeadyon their minds: What could cause an etn event” for my company? What could impact he ete indy? Wht dos te future look ia? What ype of data are mast significant 0 te business and how may they be vuneatie? Through colabraton with legal and ‘echnical expats the Board and senior management can begin to ideity height mc of dala security conto tal minimize business interuntion, Invest in data security controls that minimize both legal exposure and operational, "frelon." An efecve data seculy poly wl, among othe things, clear identi roles and responsbiltes of relevant people, including dectors, members of management, legal ‘course, employees, vendo and other contractors wih access to persona or aberwse Senstivé dal, cybersecutly professionals, andin many cases, dedicated Chi Intormaton Secutly Oficer. These viduals must combine to implement tree ormary types of Contols: prevention, detection, and response. Prevention occurs when an action or conto Drevents a risk before i affects users or te enveonment. Detection is Identifying the Presence of something malcious that has aeady entered the envronment. Response isa reacion. From a risk persecive, prevention focuses on minimizing verity andthe penta fr harm, wile detection and response focus on minimizing damage. Conraimplomentaton cane automated, semi-automated, manual or some combination of ai tree. Audomted contol oceus entirely though machines. Sen-aulomated involves Same level of human iferenton, Manual contals are managed enely by Nand. The ‘combination of conto types and automaton levels comprise the cals of he "9 Box” igure below. Risk increases as we move from preverton to detection fo response, Costinceases 235 we move fom automated to semi-automated to manual controls Stradling sat Law Pca However, tere is third mension ote 9 Box: cal rion. Lke afore that causes moving object to slow down, corrals can impose a “crag coeficient™ on business velociy—tey can siow the user or a business process. But ths fico need not bean Immutable force. A company can determine how moch contol ton to apply. Apply oo ‘much contol friction, and users may go around IT and its securty conto. Tis adds cost The security eam lacks wy ino user “workarounds,” meaning iti ess ike to prevert compromises, detection is eft. and in mary cases response ate he fact becomes the any option, Ia business adheres to high-cton conoos, te fect canbe to generate systemic business risk and hiner business veloc. The ganization may lose time to market andthe aby to innova, and over the ong tem it may even lose mmatet leadership. The size of a company’s potential “crap coeticient™ depends ‘gical on cut, which another eason that anyting resembling a “on sie ts al approach to data secur is misguided. 9 Boxes of Control ‘Again, everthing begins and ends with 2 company’s nique risks. In implementing an appropate data secur program, any company woud do wel to start by focusing onthe folowing eas + Adopt good system “hyglene,*incuding an invertry of connected devices. + Use mutiacor authentication, + Use encryaton andor gts management for sensitiv data, + ole eral uncton, + Baclp cial ystems + Consider using the cloud fr relable and scalable secur, + Consiter a managed secunty sevice provider ane regular pentraton testing. + Consider adcng i-nouse or ouside lgal counsel with experence in privacy ana ata securty complance an ligation, + onsite yber inswance Maina an intemal data secuty poly implemented trough requar employee ‘education and tang. ‘Manta an incident response plan that canbe deployed quick an eter. Make data security a regular agenda lem fr Board meetings. es Gane e (Bea) 7asig7 igus 7as-aarn Stradling Yocca Carlson & Rauth, P.C. (949) 725-4000 | SYCR.COM Reprinted with the permission of the Orange County Business Journal