United States: Top Things To Add To Your Company's Information Security Program

In 2012, then-FBI Director Robert Mueller said, "There are two types of companies, those that have been hacked and those that will be hacked." Now, a decade later, this statement is even more relevant.  

As general counsel, you should be an active member of your company's cybersecurity team. Other team members might include your chief information security officer, chief technology officer and chief compliance officer. If your company has a smaller footprint, then a human resources representative, C-suite personnel and an intellectual technology representative should also be included on your team.     

A great first step to upgrade your cybersecurity hygiene is to complete a data inventory for your company. This will map, among other things, the data you have, where it lives (either in-house or with a vendor), and who has access to it. Next, consider completing a risk assessment to evaluate the costs and benefits of how you handle your data and to identify vulnerabilities in how the data is secured. Through this process, consider employing additional safeguards to reduce your risk. This assessment should be documented and updated as your data handling and business operations change.

With the risk assessment completed, you can advise your company to put a written information security program (WISP) in place or update your current one. Creating and maintaining a WISP signals your company's commitment to cybersecurity. Generally, a WISP should contain your risk assessment, as well as these plans and procedures:

• Critical incident response plan (CIRP). A CIRP allows you to effectively prepare for and respond to a security incident at your company. It should include your:
  • Framework for detecting and identifying security incidents
  • Methods for escalating incident communications to your response team
  • Summary of notification obligations, including those in your insurance policy and contracts with customers, vendors and business partners
  • List of contacts for external forensic experts and outside counsel (don't get caught negotiating service contracts in the middle of an incident - you don't have time)

• Retention policy. A retention policy creates a schedule to dispose of data when there is no longer a legitimate business need for it. Not only are retention policies required by certain laws, but they also reduce the amount of data a company holds and therefore the potential harm from a data breach. These policies should clearly document:
  • What data falls under the policy
  • How long the data should be retained
  • What specific disposal methods are acceptable

A risk assessment should be conducted, and documented, when determining how long the relevant data should be retained.

Preplanning for a cybersecurity crisis is just as important as planning for a natural disaster. Rehearsing your response and making yearly updates to your company's WISP is key to minimizing the impact of a security incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.