Mark Harrington, general counsel at Guidance Software, said, "How a company is prepared and how they handle a breach is important. The government is giving favor to companies that are well prepared and willing to cooperate." Harrington suggested, "If you don't have the internal expertise, you should find an expert law firm, educate yourself, or find a vendor."
"Not all data is equal. How is it being collected? How is it being stored? Discarded? Those who guard data have been viewed as criminals when they got hacked, and that's not fair," said Harrington. As the standards for cybersecurity continue to be established, perspectives have changed. Harrington said, "Now, if you had your act together and still got hacked, we're going to treat you as a victim."
The old adage, "proper preparation prevents poor performance," resonates when it comes to breaches and complying with privacy regulations.
"The government is going to look at how prepared you are to detect intrusion. Do you register attacks? Do you encrypt data? Most companies have outward facing policy to the public, but the FTC looks at policy as deceptive. If you are not being preventative, you're ignoring the issue and you subject yourself to being hacked," said Harrington.
Can an organization prepare for a breach without the aid of a cybersecurity attorney?
DJ Vogel, partner at Sikich's security and compliance practice, advised, "Determining whether to have a cybersecurity attorney should be based off of a company's risk assessment, which will inform what level of involvement they need from outside sources."
Because cybersecurity attorneys will have expertise that corporate attorneys may not have, Vogel said, "You should at least have a relationship with a cybersecurity lawyer." Well versed in breach notification laws specific to disclosures, cybersecurity attorneys work in conjunction with forensic investigators and public relations to frame incidents in the best light.
"Security and legal share very similar mission," said Sean Cordero, director in the office of the CISO at Accuvant. One area of overlap, Cordero said, is the cloud. "One of the most opportune things that has happened for cybersecurity is the cloud. When you're moving into the cloud, you're inevitably relying on external controls. The only way to maintain control is through contract language," Cordero said.
Another area of concern for Cordero is policy development within a security group. "When you have IT and security personnel with no legal training trying to develop policy, you have the potential to inadvertently expose the organization to harm." Companies need somebody who is a specialist.
Though much of the disclosure language is similar from state to state, the implementation might be different. Cordero spoke of the differences between Iowa and California and the specific laws around notification in a breach. "An organization must have, when dealing with any kind of interstate or international regulation, they need to have legal expertise," Cordero said.
Sign up for Computerworld eNewsletters.