Five Questions GCs Should Ask to Improve Their Company’s Cybersecurity
As general counsel, one of your key responsibilities is to find and address your company’s legal obligations in the quickly changing world of cybersecurity. These five questions can help you get the information you need to create a plan to protect your company.
What cybersecurity regulations apply to your company?
Federal, state and local cybersecurity laws and regulations are all constantly being implemented or updated. Whether these apply to your company may hinge on the type of data you possess, the work that your company performs and your company’s status. For instance, if your company is a federal contractor or a publicly traded company, you’ll need to comply with federal regulations. Or, if you operate in more than one state, differing state requirements may apply.
Is your company’s data encrypted?
The most important advice you can give your company is to encrypt its data to the maximum extent possible. Data encryption can shield a company from a cybersecurity breach and data loss in several important ways:
-
- Encrypted data is useless to the criminal who has the data.
- Many states don’t require disclosure of a breach if the data was encrypted.
- Encryption provides a defense to counter any civil actions that could follow a breach.
How long are you keeping data?
You should also review your company’s data retention policies for many of the same reasons. Review your policy to confirm that your company only retains data as long as it’s legally required to. Remember, once you delete data that your company is no longer required to keep, the potential fallout from the loss of that data no longer exists.
Who has access to the data?
As general counsel, ensure that your company’s access policy is current and that users’ access is routinely audited. For instance, it is highly unlikely that every employee needs access to all company files. Employees should have access to data that is necessary to perform their routine business responsibilities and duties. Limiting access is a simple way to prevent an insider from intentionally or unintentionally contributing to a cybersecurity breach or loss of data.
Are you working with third-party vendors to handle data?
Another area that general counsel should address is third-party vendor management. Data breaches often begin with a vendor’s negligent access to a company’s data or computer systems. At a minimum, these vendors should be contractually limited on what they can do with your data, barred from selling it, and obligated to employ reasonable safeguards to protect it. You should also require them to immediately notify you in the event of a suspected security incident. Vendors need to pass on these contractual requirements to any other person they engage to assist them with handling your data.
Want more information on how to start or improve your company’s cybersecurity program? The National Institute of Standards and Technology provides a wealth of cybersecurity information and a guide to get started. We also published helpful tips to consider when making your plan.
Please contact Walt Green or any member of Phelps’ Cybersecurity, Privacy and Data Protection team if you have questions or need compliance advice and guidance.