The Evolving Legal Framework Regulating Commercial Data Security Standards, an article by Hogan Lovells associate Bret Cohen, was featured in the January/February 2014 cybersecurity law issue of the Maryland Bar Journal. The article covers the sources of regulation and potential legal liability in the U.S. for businesses who experience data security breaches, including general consumer protection laws, state data security laws, federal sectoral laws, and consumer class action litigation.
To mitigate legal risks, the article recommends that to protect regulated information, organizations take the following steps:
- Take an inventory of regulated information. The first step to determining what risks exist is knowing what information the organization maintains, and where that information is located.
- Design and conduct regular security risk assessments. A common thread of all of the security-related legal requirements is the ongoing assessment and management of risk. While it may require an initial investment, proactive identification of and reaction to these risks is much cheaper than handling breaches after the fact. For smaller organizations without vast stores of regulated data, this does not need to be a significant undertaking; there are off-the-shelf materials and audit criteria that can help guide assessment efforts. But regardless of size, organizations should consider conducting these assessments under the direction of counsel, to preserve privilege in case the assessment reveals any risk that later leads to a breach.
- Regularly train employees on data security. While IT staff responsible for security operations should receive the most robust training, countless breaches have occurred through the actions of normal employees, from clicking on a virus in an email to losing a thumb drive containing sensitive information. Therefore, employees should be trained on the company’s data security policies when they first join the organization and then on a periodic basis thereafter.
- Incorporate data security into vendor management procedures. Organizations are increasingly outsourcing data processing operations to service providers, so a key to maintaining an acceptable level of risk is conducting reasonable diligence of these providers, and including security-specific terms into contracts.
- Consider cyber risk insurance. Despite best intentions, some data security breaches cannot be avoided and may not be covered under standard Commercial General Liability policies. Therefore, companies should speak with their brokers about the availability of cyber risk insurance, which can help fill some of the gaps in coverage.
The article, available here, originally appeared in the Maryland Bar Journal and is reprinted by permission of the Maryland State Bar Association.