Emerging Markets Law

Showing 6 posts in Risk Management.

Five Lessons from Equifax

Posted In Cybersecurity, Data Privacy, Data Security, Risk Management

The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.

For other businesses, Equifax is going to be a case study — for YEARS — on how not to handle a crisis. Among the reports:

  • The company’s leadership ignored warning signs of an issue.
  • The warnings were ignored because of a spat with the vendor that flagged the issue.
  • The C-suite didn’t inform the board of the known breach – involving HALF of Americans – for three weeks after learning of it.
  • The company approved stock sales by several insiders after the problems came to light.
  • Etc. Etc.

In other words: the news keeps getting worse.

For companies on the outside of Equifax, what are the lessons to draw? This is a timely exercise to run through: October is National Cybersecurity Month.

  1. Lock up your information. This is priority one. It is not, however, enough. All locks can be picked. There has to be a behavioral focus as well.
  2. Create a culture that values confidentiality and makes those problems an urgent priority. If your factory shut down, you’d be all over it; an infosec/cyber compromise might be no less urgent. Don’t wait to find out.
  3. Have a response plan that goes into effect upon discovery of a problem. Who steps up, what do they do, what do they say, and to whom? Knowing these things in advance, you will be able to act more quickly, and you will be more sure-footed, if you ever face a problem.
  4. Communicate clearly and timely. Let appropriate stakeholders know when you discover a problem, and be sure the timing, scope, and substance of those communications takes into effect the potential fall-out of the issue. Employees need to hear. The board needs to hear. The C-suite needs to hear. The public may need to hear. What they hear, and when, and in what order, may depend in part on the incident. But you have the power to tell the story at the beginning. If you tell a bad story, or a partial story, you lose control of the narrative.
  5. Security must be a priority from the top down. That is the only way to accomplish #1-4, and that is the biggest lesson of this debacle. It’s clear in hindsight that the company doesn’t have a culture attuned to confidentiality and security. Plenty of people could have made this better, but the collective response — from the outside and after the fact — looks like a big, collective shrug.

In short, cyber and infosec planning cannot be an afterthought: they have to BE your business. And they have to be treated like any operational issue, not like a mere box to check on your list of annual compliance matters. There is no better defense than a good offense. It’s your company: why wouldn’t you protect it? #cyberforgrowth #cyberforbusiness

Unauthorized Computer Access, Without Service Interruption, May Be Cause for Action

In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.

Continue reading Unauthorized Computer Access, Without Service Interruption, May Be Cause for Action ›

Clock Running for EU Privacy Shield Self-Certification with Grace Period

The EU/US Privacy Shield, which governs transfers of personal information from the EU to the US, is now effective and available to US companies for self-certification. Any US company that wants to self-certify its compliance with Privacy Shield protections may do so now; and any company that does so before September 30 will have nine months to get its downstream data processing contracts in order. 

Compliance and self-certification involve publishing a new privacy statement and a statement to the Department of Commerce, both of which must set forth information about a company's compliance with several fundamental principles:

  • Notice and Choice about how an EU individual's personal information is shared with third parties,
  • Access to that information for correction or deletion,
  • Security undertakings regarding that information,
  • Data Integrity and Limited Purpose use regarding such information,
  • Recourse to independent dispute mechanisms by aggrieved EU data subjects, and
  • Accountability for "onward transfer" of EU data to third parties.

The process of self-certification is fairly straightforward and may be a good idea for companies formerly covered by the Safe Harbor. Any company that collects, processes or uses data from the EU may want to consider Privacy Shield self-certification.

For companies that do wish to certify, there is a grace period of nine months to become compliant with the "onward transfer" principle if certification is made before the end of this month. That would allow a certifying company time to put in place a compliant contract procedure for vendors who may process data (procurement, purchasing, customer relations, for example) via downstream contracts. 

There is no deadline for self-certification, which can be elected at any time; but the grace period is one-time-only as the Privacy Shield is taking effect. 

Cyber Hygiene: Upgrade Your Software, Too

Data security is a multi-part process for most organizations. Today's installment of cyber hygiene habits for 2015 reminds us that updating software is a critical step in securing our networks. 

Continue reading Cyber Hygiene: Upgrade Your Software, Too ›

Cyber Hygiene: Upgrade Your Hardware

This fourth installment in our cyber hygiene series will discuss the importance of hardware upgrades in maintaining corporate data security. As with all the best practices we recommend in this series, the idea behind protection is to avoid incidents where possible, mitigate damage if they occur, and have a defensible position or "storyline" if you suffer a dispute or investigation. 

Continue reading Cyber Hygiene: Upgrade Your Hardware ›

3d Circuit Wyndham Decision Will Be Counterproductive

The 3d Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide Corporation, in a decision filed August 24, 2015, ruled that the Federal Trade Commission (the "FTC") by virtue of Section 5 of the FTC Act, has jurisdiction over the data security practices of corporations that collect and use the personal data of their cases.

Consumer advocates have celebrated the case as a win for consumers. I fear it will have the opposite effect.

Continue reading 3d Circuit Wyndham Decision Will Be Counterproductive ›


Stay Connected

Subscribe to blog updates via email