Despite the blizzards that hit the East Coast, I had the pleasure this week of presenting to the Business Law & Corporate Counsel Sections at the New York State Bar Annual Conference in a very cold Manhattan. The presentation was on the legal and privacy issues both before and after data breaches – especially the liability issues arising from the (almost) inevitable plaintiffs’ class actions, employee suits, and regulatory proceedings.
I continued to beat my drum about:
• the danger of relying on the wrong “reasonable standards” (given the different, and sometimes conflicting standards from different regulators and AG opinions);
• proving that you have identified and documented the relevant security standard and what your peers are doing BEFORE the breach – not as an after-thought when preparing for litigation;
• the very real danger of claiming false levels of security, particularly if you rely on third parties vendors who you don’t actually audit;
• and the increased granularity of regulatory scrutiny (e.g. under the new NY State Dept. of Financial Services examination procedure, where they want a copy of your CISO’s CV – which will be scary for those small financial institutions who have simply appointed the most tech-savvy executive as the de factor CISO – see the New Cyber Security Examination Process
Other take-aways from my great panel members:
Yanai Z. Siegel, Esq. (Co-Chair, Cyber Liability and Data Privacy Practice Group at Your House Counsel / Shafer Glazer, LLP):
1. In the event of a data breach, your computer system becomes a crime scene. Preserve the evidence for IT forensics, so any recourse and prosecution options remain available.
2. Personal information is like toxic waste. You don’t want to spill it. Check your statutes and regulations to find out what is on the hazardous materials list, and then find out if you are keeping any and where you’re keeping it on your computer system.
Patricia Harman (Editor-in-Chief, Claims Magazine):
No company, no matter how large or small, is immune to a cyberattack. It is not a matter of if a firm will be breached, but when. Companies need to develop an incident response team and an incident response plan before there is a breach. After the event will be too late.
Bruce Raymond, Esq. CIPP/US (Raymond Law Group LLC):
Privacy programs can be daunting for medium and small businesses, but all well managed companies need this protection. In today’s risk environment, it’s not a ” nice to have “, it’s a “need to have.”