One of the great frustrations in contemplating a data security program is that there is no such thing as a one-size-fits-all solution. There is no law or regulation that specifies the exact steps a company needs to take in order achieve data security. While there are some regulatory and industry recognized compliance programs – like health law requirements under HIPPA and the data security standards established by the Payment Card Industry – these provide compliance guidelines, not actual data security. And these compliance guidelines themselves emphasize that each firm must establish security standards which meet the requirements of their business operations.
The fact is that data security, like any kind of security, requires a clear understanding of the unique needs and operations of a company. Every company has different information requirements and standards as to the information it collects, how it retains and how it uses that information. Consequently, data security can only be achieved by understanding what a particular firm does, not what is common or typical in an industry.
Assessment Defines Approach
Another factor is that while it is common to look at data security as a technical issue, technical compliance addresses only part of the goal; any review of data breaches will show that individuals – the human factor – are the most common source of insecurity. This is not just due to the possibility of an employee clicking on the wrong website or responding to the wrong email; human error can start at the point that a data security plan, and its technical components, are contemplated. Without understanding the scope of the company’s data security requirements, those selecting and implementing the “solution” will find that they have not addressed the security challenges.
In addition, risk assessment itself is not simply a technical exercise; rather, risk assessment is an assessment of legal risk, the understanding of the legal liability that a firm faces for failure to secure data.
Elements of a Risk Assessment
Any risk assessment begins with asking some basic questions:
- What information do we collect?
- How do we hold the information?
- What do we do with the information?
- Who has access to the information?
- What are our legal/regulatory obligations?
- What are our contractual obligations?
- What are the risks we face?
- What is the level of risk we are willing to assume?
These questions will almost always lead to other questions, and an assessment requires a deep dive into understanding the risks faced by the business, which could include insider threats, nation-state actors or criminal organizations. For example, while a businesses with significant intellectual property might construct an exercise focusing on data theft, while an energy company might be more concerned with the integrity of industrial control systems.
Importantly, these questions focus a firm on actual security, rather than on mere compliance by prioritizing security measures to meet the potential impact of a breach.
Who Performs the Assessment?
Data security requires a different set of skills from information technology, and a risk assessment requires involving individuals experience in analyzing security risk, working hand in hand with technical consultants and key company personnel.
- Attorneys – Attorneys are important to the process because of their ability to evaluate the legal risks facing a firm. In addition, the information provided to attorneys and the initial results of the assessment may be protected as attorney-client privileged communications; while the privilege is not absolute, the ability to maintain the confidentiality of the assessment is higher if an attorney oversees the process.
- Data security technical consultant – While a legal risk assessment is not primarily a technical exercise, consultants who can analyze the technical protections and their implementation is a key element to the assessment as a whole. While it is tempting to rely on in-house IT personnel for the analysis, data security involves a different set of skills, and security consultants can better evaluate technical protections from the outside.
- Company Executives – To be effective, the company must buy into the assessment at its highest levels. Involvement at the C-level will demonstrate the importance of the assessment and encourage an effective process.
What is the Result of the Assessment?
The results of the analysis should be documented in a written analysis of the company’s risk profile, identifying its strengths and weaknesses, and the steps the company should consider to achieve a more secure environment. The report, however, is not the end. More importantly, the written assessment is a starting point for the company, allowing it to evaluate its current status and to design and implement a plan to achieve actual data security.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.