4 Things Businesses Are Getting Wrong About Privacy

/

  1. “We can address privacy later.” This approach can cost you more money than it will save you for several reasons. One big reason not put off privacy until later is that the FTC is cracking down on businesses as small as solo operations for inadequate data privacy practices.

  2. “We don’t need a lawyer to handle privacy.” I see this time and time again - companies try to rely on a nonlawyer to help them with compliance. We cannot ignore the “law” part of privacy. The laws set the minimum requirements. Why wouldn’t you want a lawyer to interpret the laws for you? Any idea how those standards measure up in court? A privacy lawyer is absolutely necessary to have on the team.

  3. “We’ll do a quick privacy project.” This is a long-term relationship. Buckle in.

  4. “We are too small to worry about data privacy.” Wrong; see number 1.

Caution Against Cybersecurity Without Data Privacy  

/

The Conundrum

I’ve noticed an interesting conundrum: cybersecurity programs operating without consulting a privacy attorney.

When I first realized that cybersecurity was being implemented without consulting a privacy attorney, I thought, “how?” and “why?” How would you know which data requires cybersecurity if you don’t know which data is entitled to privacy? Why would you spend money on a cybersecurity program that might not help you avoid legal liability and fines?

A privacy law determines what needs to be protected. Cybersecurity is how to protect it.

Privacy Law & Cybersecurity Work Together

From trade secrets to personal identifying information, we look to the law to understand which type of data is entitled to privacy. Some laws even dictate how we achieve privacy by mandating security measures such as encryption. The laws might also impose duties and obligations on companies that handle data. Failure to comply with privacy laws can cost companies a lot of money in the form of penalties, fines, expensive law suits, and crippling damage to reputation. Without a proper assessment of privacy law, a cybersecurity program might not include appropriate security measures that will reduce legal liability or allow the company to meet its legal obligations. Cybersecurity without data privacy is an expensive shot in the dark. I can only assume that when companies pursue cybersecurity without understanding data privacy laws, they do so out of ignorance or misunderstanding, but it is not intentional.

Rather than randomly apply cybersecurity measures, companies should narrow the focus of its cybersecurity program by tailoring it around potential legal liability. Of course, it is crucial to implement general cybersecurity to protect the company’s network from malicious attacks and intrusions, but it is also important to understand that some types of data require additional security, procedures for destruction, processes for obtaining appropriate consent and access, and other requirements depending on applicable privacy laws. Such requirements should be addressed in a comprehensive cybersecurity program.

Consider basic home security. We put locks on the outward facing doors and windows to protect ourselves and our belongings. Many of us even install alarm systems. We put locks on bathroom doors to protect privacy. But do we put locks on all doors? For some reason, we do not put locks on closet doors. It is another door, yet not deserving of a lock because of the general understanding about how closets are used and the expectations of privacy and security within a closet. Of course, you could add a lock to your closet door. Nothing is stopping you. You could add locks to every single door and cabinet in the house. But this would be unnecessary and inconvenient. Could you imagine having to unlock a cabinet door to get a cup for water? Even though it is possible, we simply do not need locks on every door and cabinet.

Unlike the common sense we share about home security and physical privacy, cybersecurity and data privacy are less intuitive. The good news is that rather than rely on common intuition, we have privacy laws to guide us in determining which doors in the cyber world require locks so that we are not wasting resources by installing locks that unnecessary and inconvenient.

Having a cybersecurity program without considering privacy law might not only be a waste of money, but it could also miss the target and leave your company exposed to legal liability.

6 Reasons Why You Need Your Cyber Attorney To Review Cyber Insurance

/

I’m often asked about the difference between someone like me, a cyber liability attorney, and a cyber insurance agent. It’s a fair question. On the surface, we both can help with cyber insurance. Here are six reasons why it is particularly important to have a cyber liability attorney review your cyber insurance.

1.       Lawyers have ethical duties to clients.

Lawyers have a fiduciary duty to clients. We are bound by a code of ethics and must represent a client’s interests. By having a cyber liability attorney review your insurance policy, you can rest assured that the policy is being analyzed by someone who is truly on your side.

 2.       Interpret the legalese in the policy.

A lawyer can interpret the legalese in the insurance policy and help you understand how it interacts with your business. This is an important step when considering cyber insurance because these types of policies are commonly misunderstood. A cyber insurance policy might interact with your business in a way that is either helpful or useless.

 3. Evaluate how new laws apply to your business & affect cyber insurance. 

There are many reasons why people misunderstand cyber insurance. Part of the problem is that many people don’t quite comprehend the risks and sources of liability in the first place. Much of the liability comes from legal obligations associated with using data and technology. Such legal obligations are currently being developed by lawmakers. A cyber liability attorney can keep up with the new laws and evaluate whether your cyber policy adequately covers new liabilities impacting your business.

 4.       Understand how courts interpret the words in the policy.

Another reason to consult a cyber liability attorney is because a cyber attorney can identify language in the policy that has failed to provide coverage in the past. For example, a policy provision can appear to say “yes, there is coverage for the precise risk you are concerned about”. However, one tiny word or phrase such as “direct cause” could drastically change the reality of things. A cyber liability attorney can help you identify the not-so-obvious limitations and exclusions so you know if you are getting the coverage you expect.

 5.       Incorporate the policy into your company’s procedures.

A cyber liability attorney can incorporate your cyber insurance policy into your company’s processes and procedures. For example, your cyber liability attorney can work with your security architect to design policies and processes to protect data. If an insurance underwriter thinks that you use encrypted email, then you better be using it. This is important because a discrepancy between disclosures made during underwriting and actual processes could result in a denial of coverage. A cyber liability attorney can assist in designing internal policies and procedures that incorporates requirements in your cyber policy.

 6.       Data breach response. 

In the event of a data breach, or even a suspected data breach, it is extremely important to comply with the provisions of your cyber insurance policy. A failure to follow steps in the policy can result in denied coverage. A cyber liability attorney can help you avoid this disaster by incorporating the cyber insurance policy into an incident response plan. When a data breach occurs, the incident response plan will help the company react appropriately.   

A Holistic Approach to Cybersecurity

/

I’ve been throwing around the word “holistic” a lot lately. By lately, I mean the last 3 to 5 years. My obsession with the word began when I began searching for a solution to what I describe as “digestion issues”. Doctors tried to prescribe xan...tax…ex…but I wanted a better answer. I was drawn to the concept of “a holistic approach to health”. Focusing not only on diet, but the food – am I eating seasonal foods? Am I balancing spicy foods with cooling food? Am I getting enough rest and variety of exercise? For the first time I realized it is not about eating the same chicken salad and performing the same cardio routine every day, but about mixing it up; finding balance.

I continue to talk about the holistic approach to health, but now, I am applying the word “holistic” to my work by referring to a holistic approach to cyber liability.

Have I gone holistically crazy?

Unless it is contagious, I seem to be on the same path as other industry leaders. Many of the articles I am reading on data privacy and cybersecurity refer to a holistic approach. Looking at a company’s infrastructure from all angles, collaborating across departments, considering the big-picture and implementing processes throughout a lifecycle of data, evaluating exposure from inside-out, considering the before, during, & after, and in between – this is holistic.

It seems that many people, myself included, are preaching a holistic approach to life whether it be health in the real world or in the cyber world. When has a holistic ever been a bad idea? When did we get away from balance and start binging on grilled chicken? 

Your health and your network respond well to the holistic approach. Think of the vulnerabilities or problems from every angle and plug in solutions. Part of the holistic approach is accepting that it is a work in progress. You can’t achieve perfection, but rather strive for healthy.  

By now you’ve seen references to “cyber hygiene” or “cyber health”. This means companies need to think of cyber liability from all angles and incorporate routine check-ups. Understand that managing cyber liability is part of day-to-day business.