3 Key Components of Your Cybersecurity Strategy
Major data breaches continue to make headlines on a weekly basis. Just days ago, the U.S. Senate passed the Cybersecurity Information Sharing Act, which requires corporations, organizations and government agencies to share threat intelligence. The Florida Information Protection Act of 2014 tightened up requirements for data breach notification, access to security policies, and the protection and disposal of personal data. Of course, if you do business outside of Florida, you could be dealing with different legal requirements for cybersecurity in each state.
It goes without saying that all companies, large and small, need modern security technology and processes. However, recent events and legislation have sent a clear message – cybersecurity is no longer just an IT issue. How an organization prepares for and responds to a data breach requires collaboration among IT, security, human resources, customer service, public relations and legal teams.
Here are three parts of a cybersecurity strategy that should be addressed sooner rather than later.
Incident Response Planning
Organizations should operate under the assumption that a data breach will happen at some point. The response to a breach will ultimately determine how much damage is caused and the legal ramifications. An incident response plan is a documented process that should be followed when a breach occurs. According to the SANS Institute, there are six phases of incident response planning – preparation, identification, containment, eradication, recovery and lessons learned.
Your incident response plan should answer a number of important questions. What is your business continuity and disaster recovery plan? How quickly can you recover critical data and applications? What is the procedure for notifying those impacted by a breach? Are regulatory compliance requirements being met? To ensure that your organization is capable of effectively responding to a breach, the incident response plan should be tested and reevaluated regularly.
Information Security Policy
An information security policy is a living document that explains how an organization protects both physical and digital data from internal and external threats. It is considered “living” because it will be updated regularly to coincide with new business goals, new technology, and new laws and regulations.
Your information security policy should include data collection, storage and sharing processes, tools and processes for securing sensitive data, risk assessments, and the responsibilities of each person involved with your organization’s security strategy. It must be carefully aligned with your privacy policy and applicable legal and regulatory requirements. This document can also be a valuable training tool and increase awareness of the importance of data security.
Cybersecurity Insurance
A data breach can be extremely costly. Cybersecurity insurance provides important protection that can cover the cost of downtime, breach notification and remediation, crisis management, and lawsuits. These policies have evolved significantly in recent years to include claims related to errors and omissions, media liability, network security and privacy liability.
Cybersecurity Is Equal Parts Legal and Technology
The inherent complexity and evolving regulations surrounding cybersecurity make it as much a legal issue as a technical one. By closely aligning your incident response plan, information security policy and cybersecurity insurance, you can reduce risk and prove to investigators that you’ve met your legal requirements for preventing a breach and notifying affected parties – if these documents have been properly drafted and reviewed.
You can find templates for incident response plans and information security policies online. Many insurance providers offer standard cybersecurity policies. But this issue is far too important and complicated to rely upon basic templates and standard policies. Organizations should develop these documents in collaboration with legal counsel to minimize the impact of a data breach.
Cheryl Cooper is a partner in Whitehouse & Cooper, PLLC, and practices in the areas of business and technology law. She can be reached at 813-444-7388 or ccooper@whitehouse-cooper.com.