Companies often hire professionals to help achieve compliance with various data protection laws in the US and around the world. Surprisingly, the professionals hired to assist with legal compliance are not always lawyers. Thus, leading to situations where companies are left without basic protections recognized exclusively in attorney-client relationships.
Read MoreDeciding to migrate data to the cloud is an important decision that requires due diligence. Read more for tips and considerations.
Read MoreI’ve noticed an interesting conundrum: cybersecurity programs operating without consulting a privacy attorney.
When I first realized that cybersecurity was being implemented without consulting a privacy attorney, I thought, “how?” and “why?” How would you know which data requires cybersecurity if you don’t know which data is entitled to privacy? Why would you spend money on a cybersecurity program that might not help you avoid legal liability and fines?
From trade secrets to personal identifying information, we look to the law to understand which type of data is entitled to privacy. Some laws even dictate how we achieve privacy by mandating security measures such as encryption. The laws might also impose duties and obligations on companies that handle data. Failure to comply with privacy laws can cost companies a lot of money in the form of penalties, fines, expensive law suits, and crippling damage to reputation. Without a proper assessment of privacy law, a cybersecurity program might not include appropriate security measures that will reduce legal liability or allow the company to meet its legal obligations. Cybersecurity without data privacy is an expensive shot in the dark. I can only assume that when companies pursue cybersecurity without understanding data privacy laws, they do so out of ignorance or misunderstanding, but it is not intentional.
Rather than randomly apply cybersecurity measures, companies should narrow the focus of its cybersecurity program by tailoring it around potential legal liability. Of course, it is crucial to implement general cybersecurity to protect the company’s network from malicious attacks and intrusions, but it is also important to understand that some types of data require additional security, procedures for destruction, processes for obtaining appropriate consent and access, and other requirements depending on applicable privacy laws. Such requirements should be addressed in a comprehensive cybersecurity program.
Consider basic home security. We put locks on the outward facing doors and windows to protect ourselves and our belongings. Many of us even install alarm systems. We put locks on bathroom doors to protect privacy. But do we put locks on all doors? For some reason, we do not put locks on closet doors. It is another door, yet not deserving of a lock because of the general understanding about how closets are used and the expectations of privacy and security within a closet. Of course, you could add a lock to your closet door. Nothing is stopping you. You could add locks to every single door and cabinet in the house. But this would be unnecessary and inconvenient. Could you imagine having to unlock a cabinet door to get a cup for water? Even though it is possible, we simply do not need locks on every door and cabinet.
Unlike the common sense we share about home security and physical privacy, cybersecurity and data privacy are less intuitive. The good news is that rather than rely on common intuition, we have privacy laws to guide us in determining which doors in the cyber world require locks so that we are not wasting resources by installing locks that unnecessary and inconvenient.
Having a cybersecurity program without considering privacy law might not only be a waste of money, but it could also miss the target and leave your company exposed to legal liability.
I’m often asked about the difference between someone like me, a cyber liability attorney, and a cyber insurance agent. It’s a fair question. On the surface, we both can help with cyber insurance. Here are six reasons why it is particularly important to have a cyber liability attorney review your cyber insurance.
Lawyers have a fiduciary duty to clients. We are bound by a code of ethics and must represent a client’s interests. By having a cyber liability attorney review your insurance policy, you can rest assured that the policy is being analyzed by someone who is truly on your side.
A lawyer can interpret the legalese in the insurance policy and help you understand how it interacts with your business. This is an important step when considering cyber insurance because these types of policies are commonly misunderstood. A cyber insurance policy might interact with your business in a way that is either helpful or useless.
There are many reasons why people misunderstand cyber insurance. Part of the problem is that many people don’t quite comprehend the risks and sources of liability in the first place. Much of the liability comes from legal obligations associated with using data and technology. Such legal obligations are currently being developed by lawmakers. A cyber liability attorney can keep up with the new laws and evaluate whether your cyber policy adequately covers new liabilities impacting your business.
Another reason to consult a cyber liability attorney is because a cyber attorney can identify language in the policy that has failed to provide coverage in the past. For example, a policy provision can appear to say “yes, there is coverage for the precise risk you are concerned about”. However, one tiny word or phrase such as “direct cause” could drastically change the reality of things. A cyber liability attorney can help you identify the not-so-obvious limitations and exclusions so you know if you are getting the coverage you expect.
A cyber liability attorney can incorporate your cyber insurance policy into your company’s processes and procedures. For example, your cyber liability attorney can work with your security architect to design policies and processes to protect data. If an insurance underwriter thinks that you use encrypted email, then you better be using it. This is important because a discrepancy between disclosures made during underwriting and actual processes could result in a denial of coverage. A cyber liability attorney can assist in designing internal policies and procedures that incorporates requirements in your cyber policy.
In the event of a data breach, or even a suspected data breach, it is extremely important to comply with the provisions of your cyber insurance policy. A failure to follow steps in the policy can result in denied coverage. A cyber liability attorney can help you avoid this disaster by incorporating the cyber insurance policy into an incident response plan. When a data breach occurs, the incident response plan will help the company react appropriately.
I’ve been throwing around the word “holistic” a lot lately. By lately, I mean the last 3 to 5 years. My obsession with the word began when I began searching for a solution to what I describe as “digestion issues”. Doctors tried to prescribe xan...tax…ex…but I wanted a better answer. I was drawn to the concept of “a holistic approach to health”. Focusing not only on diet, but the food – am I eating seasonal foods? Am I balancing spicy foods with cooling food? Am I getting enough rest and variety of exercise? For the first time I realized it is not about eating the same chicken salad and performing the same cardio routine every day, but about mixing it up; finding balance.
Have I gone holistically crazy?
Unless it is contagious, I seem to be on the same path as other industry leaders. Many of the articles I am reading on data privacy and cybersecurity refer to a holistic approach. Looking at a company’s infrastructure from all angles, collaborating across departments, considering the big-picture and implementing processes throughout a lifecycle of data, evaluating exposure from inside-out, considering the before, during, & after, and in between – this is holistic.
It seems that many people, myself included, are preaching a holistic approach to life whether it be health in the real world or in the cyber world. When has a holistic ever been a bad idea? When did we get away from balance and start binging on grilled chicken?
Your health and your network respond well to the holistic approach. Think of the vulnerabilities or problems from every angle and plug in solutions. Part of the holistic approach is accepting that it is a work in progress. You can’t achieve perfection, but rather strive for healthy.
By now you’ve seen references to “cyber hygiene” or “cyber health”. This means companies need to think of cyber liability from all angles and incorporate routine check-ups. Understand that managing cyber liability is part of day-to-day business.
A blog about cyber law including cyber liability, cybersecurity, data privacy, and cyber insurance.
I encourage you to comment and share opinions, ideas, and suggestions, However, please be courteous and use respectful language when commenting. I will try to post all comments to encourage a discussion, but I reserve the right to discard comments I find distasteful or inappropriate.
This blog is not legal advice and does not create an attorney-client relationship. DO NOT share confidential information in the comments of this blog. I will not provide legal advice based on your comments. If you need legal guidance, please consult an attorney and keep in mind that your issue may have an approaching deadline.
Powered by Squarespace.
