Cyber security basics and legal considerations for a good program

Think of all the interlinked systems that businesses use to access and transmit data. Valuable and sensitive confidential information is funneled through these conduits. Without protection, it is vulnerable to theft.

“The most valuable information for cyber thieves is the personal information of individuals, because there is a ready market for that kind of information to be bought and sold,” says Edward G. Rice, Co-Chair of the Cyber Security Group at Sherrard, German & Kelly P.C. “In more recent years, as thieves have become more sophisticated, they’ve started looking at commercial data, including trade secrets. That data could be stolen and sold on the open black market.”

Smart Business spoke with Rice about cyber security and how to set up processes to protect electronic information.

Why do companies typically fall victim to cyber attacks?  

Many companies have not created a data security plan because there is no legal requirement compelling them to abide by certain standards of protection, or they do not think it is important. In other cases, the plans companies do put in place may be deficient for any number of reasons: not enough money spent, not the right expertise, not properly tested for vulnerabilities, etc. Some companies think they are safe if they just put up a firewall and install antivirus software. There is nothing further from truth.

Additionally, data security breaches are often about who a company lets in. For example, in the Target Corp. credit card data breach from a couple of years ago, data thieves hacked into Target’s systems indirectly, through the computer systems of one of its HVAC vendors. That allowed the hackers to steal data, which cost the company millions of dollars and ultimately resulted in the resignation of its CEO.

What are the core aspects of cyber security?

Among the fundamental aspects of cyber security is risk analysis. This involves understanding what types of data a company has and the risk the company faces if that data gets breached. A fundamental first step is to take inventory of all data, the systems that house and permit access to it, and test these lines for vulnerabilities. A common method is to engage an outside specialist to do a penetration test. If weaknesses are discovered, they can be patched.

What should companies understand about the legal components of cyber security?

Most states have data breach laws that apply to all businesses, not just to banks, hospitals and insurance companies. For example, if a company that collects and stores data on individuals has that data stolen, the  company would be required to provide notice to all those individuals whose data was breached and offer them credit report monitoring services, both of which are significant financial obligations.

Further, if an individual or group of individuals affected by the breach can show real harm or damages, those individuals can seek recovery from the company.

The reputational risks to the company also are significant. A data breach can create a sense of insecurity with existing and potential customers, and also cause a company to lose contracts if clients worry that their data is at risk.

Why should companies involve legal counsel when constructing or improving a cyber security program?

Lawyers know the rules and obligations companies must adhere to and typically have a good network of professionals who, together, can assemble a comprehensive cyber protection program.

Companies need to understand all of the risks they face, and legal counsel can convey that. After the program is built, lawyers can monitor changes in the law and be ready to advise the company if and when an issue arises. Of significance, working with a lawyer from the outset of a problem provides the company with the added benefit of attorney/client privilege.

Talk with a lawyer about the requirements, from both a legal and business standpoint, to protect your business, and its sensitive and confidential information. Build a plan for a cyber security program, test it and have contingencies. The worst time for a company to find out that it is unprepared for a breach is after it happens.

Insights Legal Affairs is brought to you by Sherrard, German & Kelly, P.C.