By Catherine Crosby Long, Keith Andress and Alisa Chestler
Not long ago, the average American could not define terms like “data breach,” “hack” or “cybersecurity.” However, hardly a day passed in 2015 without a cyberattack covered by the national news. As a result, consumers are increasingly aware of the need to ensure that their personally identifiable information is secure. This article explores the basic tenets of an effective cybersecurity policy, including the need for regular security assessments and an incident response plan. In 2015, healthcare companies became the primary target of identity thieves and hackers, with Premera Blue Cross and Anthem experiencing security breaches that exposed millions of consumers’ PII to unauthorized users. The Office of Personnel Management suffered a breach that exposed fingerprint information from over 5.6 million current and former federal employees had been stolen, along with personnel files from over 21.5 million employees.
From government to education, healthcare to financial services, no industry was safe from hackers. President Obama signed the 2016 Consolidated Appropriations Act on Dec.18, 2015, which included the Cybersecurity Act of 2015 — the most significant federal legislation to date addressing cybersecurity and cyber threats. The act included the Cybersecurity Information Sharing Act, intended to encourage private entities to report — voluntarily — any hacks, suspected hacks or other cyber threat indicators to the Department of Homeland Security, which is now the “go-to” agency for reporting cyber threats.
Given the extensive coverage of data breach and hacking incidents over the past few years, most companies should have the basic elements of a cybersecurity policy in place: maintain an effective firewall, appropriately train employees on privacy and security principles, regularly update password and authorization requirements, encrypt credit card information, monitor networks and limit employee access to non-essential information. Once these basic principles are implemented, periodic assessments should be performed to ensure security protocols are actually working.
In June 2015, the Federal Financial Institutions Examination Council released a Cybersecurity Assessment Tool following the council’s pilot assessment of 500 institutions during the preceding year. The Cybersecurity Assessment Tool incorporates the National Institute of Standards and Technology Cybersecurity Framework utilized by a variety of different industries and companies of every size, and begins with an assessment of five categories: 1) technologies and connection types; 2) delivery channels; 3) online/mobile products and technology services; 4) organizational characteristics; and 5) external threats.
An institution’s “maturity” in the following five domains is then evaluated: a) cyber risk management and oversight; b) threat intelligence and collaboration; c) cybersecurity controls; d) external dependency management; and f) cyber incident management and resilience. After the assessment and evaluation have been completed, institutions should identify areas that need improvement, develop strategies to advance maturity, and address gaps in their cybersecurity preparedness. Each time new products are introduced or services offered, a security assessment should be performed.
Companies should also ensure third-party vendors and service providers have implemented sufficient security protocols, and are consistently evaluating their preparedness for a potential cyberattack. The Cybersecurity Assessment Tool’s emphasis on the exchange of threat intelligence and collaboration in response to a data breach, however, can prove complex for financial institutions. Although information disclosed in a cyber-incident report to DHS may mitigate legal concerns, loose privacy protections could risk the entity’s goodwill among its customers, who may regard sharing of their private information with law enforcement as a significant breach of trust. Accordingly, entities would be wise to consult with counsel to determine the appropriate scope of any disclosure to DHS and to formulate an internal protocol for information sharing.
Although effective security protocols can minimize risk, no individual or company is completely safe from a hack or data breach. As a result, companies should prepare a written cybersecurity incident response policy and name a dedicated incident response team that works closely with outside counsel. Response procedures should be specific, current and integrated across business units. While the in-house legal team and general counsel should be at the forefront of any breach, incorporating outside counsel will help to protect attorney-client privilege and confidential information in the event litigation results following the breach.
Steve F. Wood, co-chairman of the business technology group at Baker Donelson and the law firm’s chief information security officer, concurs. “Having outside counsel in the loop removes any question that might exist as to the validity of attorney-client privilege with regard to in-house lawyers,” Wood explains. “And given the likelihood now that a data breach will result in lawsuits, that’s an important consideration.”
Methods of transferring risk should also be evaluated. Cyber insurance coverage is a necessary part of a financial institution’s information security program. Companies would be prudent to consult with a cyber-insurance expert to confirm that they are fully covered for potential losses following a breach.
Suzanne A. Gladle, director of cyber program operations at McGriff, Seibels & Williams Inc., notes that “Cyber insurance has evolved over the past decade and can serve as a financial back-stop to many of the costs associated with data and system breach events.”
Glade cautions, however, to “be mindful that the least expensive offers are often priced that way because the underwriter may be sub-limiting many coverage parts or may be excluding material elements of risk.” When confronted with a complex claim: “Cheap insurance is always expensive.”
A December 2015 global survey performed by Gemalto reported that 64 percent of consumers say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen. Adequately defending against potential security incidents by conducting regular security assessments, creating a cybersecurity incident response policy and insuring against potential losses are the keys to maintaining this relationship and limiting reputational risk.
Catherine Crosby Long is a shareholder and Keith Andress is managing shareholder in the Birmingham, Ala., office of law firm Baker Donelson. Alisa Chestler is a shareholder in the Washington, D.C., office of Baker Donelson. For more information, visit www.bakerdonelson.com.