A question that often comes up around cybersecurity and incident response is when to involve legal. The best time to get advice from your attorney is before an incident. Here are 5 tips from legal resources of steps to take NOW:
1) Obtain verification from key vendors that they have measures in place to protect your data. Think about the outside companies that have access to your data, including your payroll company, your accountant, and your IT service provider. Do you have any outside counsel that accesses files from their office or their home? These connections could be a threat to your data security if not implemented correctly, so it’s important to confirm their awareness of cybersecurity and that they have protections in place to prevent unauthorized access.
2) Read your cloud service agreements. You will likely be surprised that YOU are still responsible to protect the data that the cloud vendor is storing for you. Ask for a detailed matrix of responsibility that shows what they are providing and be sure you put in solutions to fill the gaps.
3) Review your cyber insurance policy for exclusions and contingencies and check the coverage. First and foremost, don’t assume that you have cyber coverage as part of your standard commercial policy. Don’t just look at the summary of coverage, but look closely at both exclusions and contingencies. Many policies exclude fines and penalties, this can run into six figures even for SMBs. Some policies won’t cover notification costs, which can run $4-$5 per record – determine how many customers, employees, clients or patients files you have stored and do some quick math to confirm your coverage is high enough. Are there any contingencies, such as requirements to maintain compliance with PCI standards to protect card data or to perform ongoing testing? If so, make sure you are meeting these requirements or risk not being able to collect.
4) Align your cybersecurity to a known framework. If an incident occurs, even if you are not required to follow a compliance standard because you don’t maintain credit card or health data, litigation could follow. If it does, the question of whether or not the protections you had in place were “reasonable” will be asked. If you are aligned with a recognized standard such as the National Institute of Standards & Technology Cyber Security Framework (NIST CSF), International Standards Organization (ISO) or CIS 20, it will be much easier for counsel to argue that you took reasonable measures and could not have prevented the incident.
5) Know who to call for incident response BEFORE an incident. Bad decisions can be made that make an incident far worse if you don’t know the right steps to follow, and the steps vary based on the type of incident. If data belonging to others is exposed, you have notification duties. If an insider steals proprietary data from you or does something destructive to your business such as maliciously deleting files, you need to protect the forensic evidence to be able to take legal action. Having access to resources that understand cybersecurity from forensic, legal and public relations aspects can insure the damages from your incident will be contained. Adding cyber coverage to pay for these resources is part of Foresite’s specialized offering that you (and your clients) can take advantage of to have everything in one place, with white glove 24/7 access and the funding to retain the help when you need it most.