By Katia Bloom, senior legal counsel at Avira, a global internet security company
Cyber security is a major concern, even for those who don’t regularly deal with sensitive information at their job. When news broke that presumptive Democratic nominee Hillary Clinton would not be charged for mishandling classified information during her tenure as secretary of state, we wondered how in-house legal counsel can prevent similar situations from happening in their workplace. So the Association of Corporate Counsel reached out to Katia Bloom, commercial lawyer at Avira, for her recommendations for companies who want to protect their classified information from getting into the wrong hands.
Why is it important to have work-sensitive emails only on company-protected servers (i.e., not on a personal server or device, such as a mobile phone or tablet)?
With such easy accessibility to work materials on mobile devices, most companies — regardless of industry — effectively have an entirely mobile work force and it is imperative that work emails have an extra layer of protection that most of us don’t have on our personal devices.
What, if any, problems can arise from an employee having their emails on a private server or device?
The most obvious is sensitive customer or employee information getting into the wrong hands. This is especially critical in highly regulated industries or with very sensitive information, such as health or financial data). Additionally, as the recent ACC “The State of Cybersecurity Report” points out, almost 10 percent of all system breaches occur as a result of a lost laptop or mobile device. There is also a serious risk that sensitive company information, such as sensitive M&A activity, litigation threats, financial liability, etc., will fall into the wrong hands. This can cause both reputational and financial damage.
What can companies do to prevent employees from having work emails on their phones or on private servers?
It’s important to have policies in place; however, policies can only get companies so far. What’s really critical is having a way to implement policies in a way that employees actually want to comply with them. This requires training and getting everyone on board with the reasons behind the policy. If everyone understands that we need to protect sensitive company information, they are much more likely to support this mission.
Is there training that employees should undergo? If so, what would it entail?
At the end of the day, employees are just people, and we all live in a world where we use our phones for anything and everything. There is no way to prevent someone from emailing work email to their personal account. The training must include plenty of real-world scenarios that demonstrate how an innocent mistake costs a company both time and money. Recent activity by various regulatory bodies —including the SEC — also put pressure on companies to not only have policies in place, but to make sure employees are trained properly.
Should classified information accidentally be leaked, what actions should be taken to rectify the situation?
First, it’s important to understand what information went out and to whom. Second, it’s necessary to make sure that the company isn’t required to disclose the information leak per myriad disclosure laws, especially if sensitive customer data has been leaked. Third, after each incident, it’s critical to gather a team from each relevant department and review, refine, and implement a new plan of action to make sure such an incident never happens again and proper additional safe guards are in place. As a practical matter, regulatory bodies look favorably on companies that act systematically and quickly to respond to any and all incidents. This includes regularly auditing a company’s security measures and breach response tactics, understanding which third-party vendors have access to what information and knowing whom to call in the event of a breach (e.g. outside counsel, FBI, etc.).
For further reading, download the ACC Docket article "Cybersecurity - Emerging Trends and Regulatory Guidance.” While a company cannot eradicate cyberthreats, it can manage them and develop a plan to respond to an incident. This process requires cooperation and teamwork across company departments, including active particiaption of in-house counsel, who play a critical role in this process.