This summer's steady and unrelenting stream of highly publicized data breaches is forcing long overdue discussions around data security and incident response preparedness. While the threat of a data breach is not a new or emerging risk, many organizations may only now be starting in earnest to assess their response capabilities and get organized to ensure they will not be the next victim and news sound bite. Whether the motivation is to avoid being the next company listed on krebsonsecurity.com, or whether it is simply to obtain a night of uninterrupted sleep it is clear that tough questions need to be directed toward the individuals responsible for the management of the organization's Information Technology.
Ten questions every General Counsel should be asking their CIO and why.
- Has the company developed a written document that maps data by repository, inventories the data elements captured in such repositories, identifies the data owners, and classifies the data's sensitivity? A detailed mapping of all of the organization's data repositories is a critical component to evaluating the risk related to a data breach. Unless the organization knows what it has, where it resides within the organization and who is responsible for the data it cannot respond quickly or effectively to data loss. The time invested in understanding these important facts will serve the organization well if a data breach or data loss occurs. Additionally, this document can further serve as a basis for mapping the legal and regulatory obligations surrounding such data. Once completed the document can be updated and utilized by individual data owners, the IT department and the legal department.
- What third parties have access to our data, how is this tracked and how are we monitoring access? The General Counsel should be able to identify every third party that accesses the organization's data. There should be a corresponding agreement between the organization and the third-party organization addressing responsibility in the event of a data breach. These agreements should be negotiated to give broad rights to the organization to ensure appropriate data security controls are in place by the third party and also provide for indemnification of the organization in the event of a data breach.
- What percentage of the total IT budget is spent on data security? General Counsel may feel uncomfortable raising questions concerning the budget of another department, but the answer to this question could be a potential red flag or a source of immense comfort. The implications are obvious. Too little money spent could appear to be a breach of fiduciary duty in the event of a data breach and too much money could be evidence of incompetence in the event of a data breach. Ultimately, the objective is to understand the number and consider the spending in light of the size of the organization, the nature of the existing legal and regulatory obligations of the organization and the risk tolerances of the organization. At a minimum, the General Counsel needs to know the answer to this question before a data breach occurs to appropriately bench mark the organization against similarly situated organizations.
- What percentage of IT personnel have expertise in data security? See response to number 3. The same logic applies to personnel. Can the organization credibly defend measures in place prior to, and in response to, a data breach with its existing personnel? Does the organization have the right people in place to respond appropriately given the organization's risk profile and in the event of a data breach?
- In the last six months what have we done to assess and remediate any vulnerability in our IT infrastructure? The General Counsel needs to understand in detail what measures are in place to assess and remediate these risks. This information will be important in determine the risk of a data breach. The results of such an assessment could also be Exhibit A for regulators and plaintiff's lawyers, if it exists. The General Counsel needs to know in advance what records exists regarding vulnerabilities and any remediation of those vulnerabilities. This is not a document that should be reviewed for the first time in response to a subpoena or as part of a document production.
- Do we have an incident response plan and is it current? This is critical and should be addressed as soon as possible. The mere act of putting a plan together can deliver valuable information and allow the organization to effectively respond in the event of a crisis. Detailing the measures taken in response to a data breach in advance and without the pressures of an actual data breach will result in a more refined, well thought out plan to activate during a live data breach.
- Are we controlling access to sensitive data to ensure that employees only have the access required to perform their job responsibilities and not more access than necessary or required? The General Counsel should understand the controls that are in place to ensure the principle of least privilege applies to employees of the organization. This needs to be closely monitored by the IT department. The principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs. If the lowest level employees can access the organizations most sensitive data outside of their normal job function, this fact alone, can be a potential information security incident. Applying the knowledge obtained through the completion of a data map and classification of the organization's data can be leveraged to ensure the organization is applying the principle of least privilege.
- How do we handle the hiring and background checks for third-party IT contractors working on projects involving the company's most sensitive data? IT is no different than any other part of the organization. The rules surrounding temporary or contract employees should be strictly enforced in the IT department, with careful compliance oversight for hiring and retention of third-party contractors. If the IT department were a bank full of cash every single individual with access to the cash would be scrutinized. In reality, the organization's data is like cash and the controls for who can access and work with the "data cash" should be strictly enforced. In some organizations the IT department is moving fast to "keep the lights on" for the business. The pressure to support the business whether it is continuing to develop and write code or keep the network operating can be intense. If the lack of qualified employees is an issue, requiring temporary employees to maintain operations, this is an area to be closely monitored.
- Do we have an agreement in place with those individuals or are we relying on a third party service provider's provisioning of candidates and what if any agreements are in place with the third-party service provider that cover the risks to the business from third party contractors? This is a very important point to understand from a data security perspective. How are third-parties coming into the IT department to perform contract work? Are the appropriate controls in place from a contractual perspective and has the risk been addressed as part of the contractual provisioning of third-party labor? Failure to negotiate these agreements with suitable protections for the organization along with carefully understanding the third-party's screen process for placing employees could also be a source of unnecessary risk.
- What current initiatives are in process that implicate customer or employee data? Have the privacy and data security requirements been reviewed by privacy compliance or legal? General Counsel needs to constantly be engaged on this topic. This question applies to departments beyond IT because many organizations are trying to capture and monetize data. The reality is these departments will need IT to support, or be directly involved in, these efforts. For this reason, the IT department will likely be a clearinghouse for corporate initiatives involving data. If the legal department is in the dark about these initiatives, then the privacy and regulatory implications may not be fully addressed at the outset of the project. General Counsel should be at the table at the beginning of these initiatives, not as an obstacle but as a partner that can ensure the project is both lawful, relatively risk free and that there are no surprises during the roll out.