Addressing privacy compliance and cybersecurity is becoming more and more challenging for companies. At least 26 states are considering various kinds of data privacy laws. At the same time the rate, depth, and impact of ransomware, wiperware and data breaches has become more intense and more expensive, and there is no indication that the trend will end soon.
Complying with privacy mandates, and preparing for and defending against a data breach, requires knowledge – it requires visibility.
What does that mean? To achieve visibility, an enterprise needs to increase its knowledge of key elements in its infrastructure:
See Your Network
Most C-level executives, other than chief technology officers and chief financial officers, have little knowledge of their network. But understanding what data is stored on the network, how the various parts of the network interact, and who has access to the network (and what kind) is essential to evaluating risks, complying with privacy laws, and preparing and defending against attacks. This means not only knowing what is supposed to be on the network, but the “silent” nodes as well – things like unused servers and the devices that attach to the network, such as personal laptops, smart phones and tablets.
Part of knowing your network also means knowing what is happening on the network. Companies need to know when there is a threat, where it is, and how to contain it. Simply having firewalls and other endpoint security isn’t enough; it’s too easy for hackers to gain access to the network. Being able to “see” what is happening on the network in real time is what can allow a company to defend itself. When a breach is in process, speed is essential.
See Your Data
Surprisingly, many companies are not fully aware of the data they collect, save and process – but this is key to complying with data privacy laws. Companies need to know:
- What data does the company collect?
- What data does the company need to collect?
- How does the company collect data – directly from users, clients, and consumers, or through third parties?
- Where the company stores its data?
- How does the company use the data it collects – particularly personal information of individuals, including employees?
- Who has access to the data?
The GDPR, the CCPA, the Virginia and Colorado privacy laws, and each statute currently proposed in the United States requires a company to disclose each of these factors – and that knowledge is necessary to comply with consumer rights under those laws. A key question is differentiating between the data you collect and the data you need; companies need to recognize that there is no benefit in collecting data that’s not necessary. There is often a sense that “we might want to have this data in the future,” but that rationale does not stand up in today’s environment. Instead of being something of potential future value, collecting, storing, and using data that isn’t necessary for the company’s business creates liability.
See Your Software
During the past year, understanding the extent of the software a company uses – and the software that its key vendors and partners use – has become increasingly important. The Log4j experience made it clear that if a company doesn’t know the software it relies upon, it cannot take preventative and reactive action to mitigate risks. Companies should create a “Software Bill of Materials,” identifying the software used by or for its business, and should understand how the software is managed, licensed, and supported.
The Log4j issues also emphasized how important it is for companies to consider their use of open-source software. Open-source software is ubiquitous, but it is not always well-managed or updated, and is often overlooked when evaluating a company’s risk profile.
See Your Vendors
Companies have also become increasingly aware that vendors not only provide essential services; they also create risks and increase a company’s vulnerability to hackers. If a vendor can access a company’s network, a hacker can access the company’s network through the vendor. The situation is more complicated because vendors rarely act alone – they themselves have vendors, and those vendors have vendors, and so on. Even when a company can achieve a degree of comfort with a direct vendor, it may be difficult, if not impossible, to do the same with the vendor’s vendors, who do not have a direct relationship with the company.
Companies can address some of these issues by taking a systematic approach to engaging new vendors and evaluating current vendors. Key steps include:
- Qualifying vendors by doing a deep dive into their past performance, their privacy and security qualifications, and other key issues.
- Enter into strong data security agreements, whether as part of a vendor contract or as an addendum.
- Identifying their key vendors, and at least attempting to obtain similar information about those subvendors.
- Regularly repeating this effort – vendors can change, and a regular (at least annual) review of their practices is essential, especially as vendors change ownership regularly.
Visibility, by itself, doesn’t prevent a malware attack. Without taking other measures – such as a thorough incident response plan – it won’t ensure an effective response or compliance with privacy laws. However, a company that fails to take elemental steps to understand its network, data, software, and vendors will be more vulnerable and non-compliant. The risks of not taking these steps far outweighs the time, effort, and cost of the effort.
You are not alone in this effort. Since the adoption of the GDPR and the CCPA, great strides have been made in overcoming what can, at first, seem to be an overwhelming task. The Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group, works with companies to understand and address their security and privacy needs, and we are ready to help you. For more information, contact Bob Braun (rbraun@jmbm.com) or Mike Gold (mgold@jmbm.com).
Thanks to Jason Ciment and his company, Get Visible (https://www.getvisible.com/) for inspiring the concept of visibility for this piece.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.