What Does It Really Take To Be Data Security Compliant?

By Cameron G. Shilling

As published in NH Bar News (12/20/2016)

Most businesses know (or should know by now) that they must comply with state and federal data security laws and regulations. But business leaders often are unaware of what it really takes to do so. That is understandable. Data security seems complex, and technology consultants and vendors rarely try to demystify it for their customers.

Data security is just like any other legal or business risk management issue. The risk is managed through a process of collaboration between business leaders, information technology professionals, and qualified legal counsel. The process involves the following steps:

  1. Perform a risk assessment of the business’ physical, technological and administrative systems using the requirements and standards of applicable laws.
  2. Generate a report that identifies areas of non-compliance and risk, including a prioritization and chronological plan for remediation.
  3. Remediate vulnerabilities that can feasibly and financially be fixed within a reasonable amount of time.
  4. Create a written data security plan tailored to the procedures of the business.
  5. Train employees about data security compliance generally and the business’ procedures under the written data security plan.
  6. Perform periodic reassessments, including sub-assessments if new or different physical, technological or administrative systems are adopted.

Step 1 – the risk assessment – involves identifying the information a business has that is legally protected, for example, under state data security laws or under federal laws or regulations such as HIPAA, the Gramm-Leach-Bliley Act, or SEC or FCC regulations. The information is then mapped through its lifecycle (e.g., from receipt and creation, through use and transmission, to disposal and destruction), and areas of non-compliance or risk are identified using the legal requirements and standards of applicable laws and regulations.

This is a highly collaborative process between the leaders of the business, competent IT professionals (inside or outside the business, or both), and legal counsel experienced with this area of the law and qualified to understand technological and physical security matters.

Step 2 – the report – flows naturally from the areas of non-compliance and risk identified in the assessment. Priority is assigned to items that are relatively easy to remedy, do not comply with applicable law or entail significant risk, and a timeline is created for addressing the issues.

Step 3 – the remediation – is the process of identifying and implementing solutions to the vulnerabilities identified during the assessment and in the report. Remediating vulnerabilities often depends on the availability of technological or physical systems, and budgetary constraints of the business. It is common for a business to need 12-18 months to properly address all of the vulnerabilities identified in an initial data security risk assessment.

Step 4 – the written plan – is a policy created from the information gathered during the risk assessment and the remedies implemented or anticipated for the vulnerabilities. A plan created in the absence of a comprehensive risk assessment is a pure shot in the dark, and does not comply with state or federal law or accepted practice. No two data security plans are the same because no two businesses are the same, and there is no competent boilerplate form.

Step 5 – the training – is an integral component of data security compliance. Employees handle protected data on a daily basis, and thus need to be taught about data security generally as well as the business’ specific procedures as set out in the written plan. Likewise, properly trained employees know better how to avoid breaches, how to recognize an actual or potential breach, and how to properly respond in such circumstances.

Step 6 – the reassessment – is required and natural for any business committed to data security. Reassessments are used to address vulnerabilities from new or different technology, physical or administrative systems or external threats. Also, as a business that becomes data security aware, it frequently identifies previously unknown vulnerabilities and adopts remedies that enhance security beyond the measures implemented after the initial risk assessment and report.

Data security is not something that can or should be overlooked simply because a business does not understand how to become compliant. Just like any other risk management issue, security is accomplished through an established process of business leaders, IT professionals, and qualified counsel working collaboratively to implement an established process under applicable law.

Know the Law: Who is Liable for Data Breach?

By Ramey D. Sylvester

As published in the Union Leader (12/19/2016)

Q. My company handles a lot of sensitive customer information (medical, financial, biographical) and has relationships with third party service providers that have access to the information. Can my company be held liable to our customers for my service provider’s mishandling of that data?

A.  Bad news first. Not only may your company be liable to your customers, your company may have to engage in costly notification and disclosure efforts, and may be subject to governmental auditing and penalties all due to your service provider’s mishandling of your customers’ sensitive information.

In today’s computer and cloud-based business world, customer data can be accessed, and is often stored, by a company’s service provider or “vendor.” Vendors providing services such as: Software as a service (SAAS), payment processing, accounting, document destruction, and external IT all commonly have access to, and store, sensitive information of their clients’ customers. Even your office supply delivery company, cleaning service, and building maintenance company has access to your customer information and could cause a breach either knowingly or accidentally.

Depending on the privacy laws and regulatory requirements your company is subject to, you may be required to ensure that vendors are equipped to properly secure your sensitive customer data. Regardless, your company will be responsible for your vendors’ failure to maintain the confidentiality of your customer data and for choosing to work with a vendor that is not data security compliant. Should your vendor suffer a data breach, your company will be on the hook for customer notification requirements, governmental investigations, and penalties, in addition to any customer legal action.

So what can you do to minimize these risks? Establish a vendor management program to assess your vendors’ ability to handle sensitive customer data. If the vendor will be handling sensitive customer data, make sure that the vendor has a data security policy and data breach response plan. Further, require the vendor to have cyber insurance policies that will cover the costs of data breaches, and have the vendor sign a data security agreement that will require it to maintain the confidentiality of the customer data, require it to indemnify your company for unauthorized disclosures of customer data, and establish auditing rights that will enable your company to ensure that the vendor is maintaining its data security standards.

The bottom line is that since your company will be responsible for the mistakes of your vendors, you should take appropriate legal steps to protect your company and your customers.