Caution Against Cybersecurity Without Data Privacy  

/

The Conundrum

I’ve noticed an interesting conundrum: cybersecurity programs operating without consulting a privacy attorney.

When I first realized that cybersecurity was being implemented without consulting a privacy attorney, I thought, “how?” and “why?” How would you know which data requires cybersecurity if you don’t know which data is entitled to privacy? Why would you spend money on a cybersecurity program that might not help you avoid legal liability and fines?

A privacy law determines what needs to be protected. Cybersecurity is how to protect it.

Privacy Law & Cybersecurity Work Together

From trade secrets to personal identifying information, we look to the law to understand which type of data is entitled to privacy. Some laws even dictate how we achieve privacy by mandating security measures such as encryption. The laws might also impose duties and obligations on companies that handle data. Failure to comply with privacy laws can cost companies a lot of money in the form of penalties, fines, expensive law suits, and crippling damage to reputation. Without a proper assessment of privacy law, a cybersecurity program might not include appropriate security measures that will reduce legal liability or allow the company to meet its legal obligations. Cybersecurity without data privacy is an expensive shot in the dark. I can only assume that when companies pursue cybersecurity without understanding data privacy laws, they do so out of ignorance or misunderstanding, but it is not intentional.

Rather than randomly apply cybersecurity measures, companies should narrow the focus of its cybersecurity program by tailoring it around potential legal liability. Of course, it is crucial to implement general cybersecurity to protect the company’s network from malicious attacks and intrusions, but it is also important to understand that some types of data require additional security, procedures for destruction, processes for obtaining appropriate consent and access, and other requirements depending on applicable privacy laws. Such requirements should be addressed in a comprehensive cybersecurity program.

Consider basic home security. We put locks on the outward facing doors and windows to protect ourselves and our belongings. Many of us even install alarm systems. We put locks on bathroom doors to protect privacy. But do we put locks on all doors? For some reason, we do not put locks on closet doors. It is another door, yet not deserving of a lock because of the general understanding about how closets are used and the expectations of privacy and security within a closet. Of course, you could add a lock to your closet door. Nothing is stopping you. You could add locks to every single door and cabinet in the house. But this would be unnecessary and inconvenient. Could you imagine having to unlock a cabinet door to get a cup for water? Even though it is possible, we simply do not need locks on every door and cabinet.

Unlike the common sense we share about home security and physical privacy, cybersecurity and data privacy are less intuitive. The good news is that rather than rely on common intuition, we have privacy laws to guide us in determining which doors in the cyber world require locks so that we are not wasting resources by installing locks that unnecessary and inconvenient.

Having a cybersecurity program without considering privacy law might not only be a waste of money, but it could also miss the target and leave your company exposed to legal liability.

6 Reasons Why You Need Your Cyber Attorney To Review Cyber Insurance

/

I’m often asked about the difference between someone like me, a cyber liability attorney, and a cyber insurance agent. It’s a fair question. On the surface, we both can help with cyber insurance. Here are six reasons why it is particularly important to have a cyber liability attorney review your cyber insurance.

1.       Lawyers have ethical duties to clients.

Lawyers have a fiduciary duty to clients. We are bound by a code of ethics and must represent a client’s interests. By having a cyber liability attorney review your insurance policy, you can rest assured that the policy is being analyzed by someone who is truly on your side.

 2.       Interpret the legalese in the policy.

A lawyer can interpret the legalese in the insurance policy and help you understand how it interacts with your business. This is an important step when considering cyber insurance because these types of policies are commonly misunderstood. A cyber insurance policy might interact with your business in a way that is either helpful or useless.

 3. Evaluate how new laws apply to your business & affect cyber insurance. 

There are many reasons why people misunderstand cyber insurance. Part of the problem is that many people don’t quite comprehend the risks and sources of liability in the first place. Much of the liability comes from legal obligations associated with using data and technology. Such legal obligations are currently being developed by lawmakers. A cyber liability attorney can keep up with the new laws and evaluate whether your cyber policy adequately covers new liabilities impacting your business.

 4.       Understand how courts interpret the words in the policy.

Another reason to consult a cyber liability attorney is because a cyber attorney can identify language in the policy that has failed to provide coverage in the past. For example, a policy provision can appear to say “yes, there is coverage for the precise risk you are concerned about”. However, one tiny word or phrase such as “direct cause” could drastically change the reality of things. A cyber liability attorney can help you identify the not-so-obvious limitations and exclusions so you know if you are getting the coverage you expect.

 5.       Incorporate the policy into your company’s procedures.

A cyber liability attorney can incorporate your cyber insurance policy into your company’s processes and procedures. For example, your cyber liability attorney can work with your security architect to design policies and processes to protect data. If an insurance underwriter thinks that you use encrypted email, then you better be using it. This is important because a discrepancy between disclosures made during underwriting and actual processes could result in a denial of coverage. A cyber liability attorney can assist in designing internal policies and procedures that incorporates requirements in your cyber policy.

 6.       Data breach response. 

In the event of a data breach, or even a suspected data breach, it is extremely important to comply with the provisions of your cyber insurance policy. A failure to follow steps in the policy can result in denied coverage. A cyber liability attorney can help you avoid this disaster by incorporating the cyber insurance policy into an incident response plan. When a data breach occurs, the incident response plan will help the company react appropriately.