Are You and Your GC in Sync?

Security threats, mobile employees and a changing regulatory climate have many corporations re-evaluating their current technology and processes to ensure data is protected. As CIOs and CISOs map out developing technology plans and possible procurement initiatives for their organization, it’s critical they collaborate closely with general counsel in several areas, to steer the ship through the challenges of a rapidly changing information age environment.

Ensuring Data Security

There are many great lists that you would like to see your corporation listed on, but I will bet this isn’t one of them: Krebs on Security. You may think that you have everything locked down, but you are facing an indomitable foe every day – clever cybercriminals. In the aftermath of an incident, your GC will be responsible for any legal consequences and helping ensure minimal impact to company financials and reputation. They are equally concerned that the proper processes are in place and actions are being taken up front to minimize the damage in the event of a breach.

It is a heavy responsibility to keep customer, financial, intellectual property, personally identifiable and legal information safe from breach. Cisco’s Annual Security Report in 2016 said that 65 percent of organizations feel that they face a significant level of security risk. Additionally, Bomgar’s Vendor Vulnerability Report stated that 55 percent fear a breach resulting from vendor access will occur over the next year, while 20 percent believe the same will happen at any time after one year. Legal and technical teams should work together to ensure all vendors adhere to the highest security standards and have a protocol to immediately inform the company of any breach.

Creating a detailed map of all of the organization’s data repositories is critical. Unless the organization knows what it has, where it resides within the organization and who is responsible for the data, it cannot respond quickly or effectively to data loss. By creating a detailed data plan with your GC and internal stakeholders, you can determine what types of information you have, where it lives and who has access to it inside and outside of your organization. If your organization doesn’t yet have an incident response (IR) plan, insist on it before you experience a cyber or other security breach. Part of that IR plan will outline what steps must be taken to rapidly investigate where and how the breach occurred; what data, if any, was compromised; if the breach is ongoing; and how to remediate it. This is where having a data map, including the locations of sensitive legal data and PII, becomes critical.

BYOD: Your Recurring Nightmare

Did you know that approximately 78 percent of security incidents in 2015 were caused by employees? Forgetfulness, like leaving a mobile device behind in a restaurant where it can be snatched up by a would-be bad actor, is contributing to this alarming trend.

It is no wonder that mobile is a leading cause of security incidents. Studies report that 68 percent of U.S. corporations permit bring your own device (BYOD) policies for work purposes. However, according to Verizon’s 2016 Data Breach Investigations Report, only 23 percent of organizations say that securing mobile devices is a top priority in the next 12 months. Worse yet, the Ponemon Institute found that almost half of employees disable company-required security on their mobile phones, with IT never knowing about it. Furthermore, many corporations still do not have tools that provide visibility into what data resides on employee devices. If you don’t know where your data is located, how can you secure it?

Lost BYOD phones, tablets and laptops pose data breach and preservation risks. Something as simple as failure to instruct employees on deleting text messages from their BYOD devices could lead to costly sanctions. IT and legal should work in tandem to ensure a clear BYOD policy is in place and enforced with all employees. The policy should outline appropriate use, going so far as to include specific details around which websites, apps and company-owned resources are allowed or not allowed to be accessed from the employee’s mobile device. Requirements around device security should be clearly outlined, including specific password requirements. Regular audits of all endpoints, including mobile, should be done to identify and remediate possible risky data sitting on a device.

Swift Investigations

The Department of Justice and the Securities and Exchange Commission, which jointly enforce the Foreign Corrupt Practices Act, emphasized the importance of self-reporting misconduct and cooperation as keys to favorable outcomes, such as deferred or noninitiation of prosecutions, settlements and reduced financial penalties. Further, in an interview Hui Chen, compliance counsel expert at the Department of Justice, discussed the evolution of compliance standards. Compliance can no longer be just a slide deck or pretty graphs rolled out to employees. It must be a policy that is a top-down commitment from the leadership to all stakeholders. “I believe that compliance works only when the ownership and the commitment are shared, and that means the efforts of ensuring compliance get the right resources and processes must be a shared effort, said Chen. So, if technology is needed to enhance a compliance process, the IT function needs to be fighting for that resource.”

The Financial Industry Regulatory Authority imposed fines totaling $104 million in 2015. Rapid investigation of health information breaches, for example, is essential to meet the Health Insurance Portability and Accountability Act’s breach notification and security rules, while updated European Union global data protection regulation (GDPR) mandates make efficient audits and investigations essential, with 72-hour notice requirements and penalties up to 4 percent of annual global revenues. Large, highly-regulated organizations must be able to monitor rogue behavior and immediately remediate problems across networks, servers and endpoints. 

Legal teams are continually monitoring changing regulations to help ensure their organization remains compliant and avoid steep penalties. CIOs should consult with legal often to ensure the right technology and processes are in place to effectively audit for compliance and respond to any possible issues in a timely manner—either with necessary policy changes or technology purchases.

Share and Share Alike

While 80% of CIOs and CISOs consider collaboration between departments to be highly important to the success of digital investigations, just 52% consider the current level of collaboration to be high within their own organizations.* IT teams should keep general counsel apprised of what processes are in place that involve customer and employee data. In turn, legal needs to educate the IT department on the myriad regulatory and legal issues that could affect an organization’s information infrastructure. By working together and keeping each other informed, you have the best chance of aligning on technology needs and getting the right solutions in place to meet your organization’s risk management needs. For a quick primer for CIOs and CISOS on important trends and digital data challenges to consider when implementing new technology, you can download our complimentary guide here.

^{*IDC Research Study: Digital Investigation Challenges; December 2016}