United States: Key elements to add to your company’s information security program

To print this article, all you need to do is be registered or log in to Mondaq.com.

In 2012, then-FBI Director Robert Mueller said, “There are two types of businesses, those that have been hacked and those that will be.” Now, a decade later, that statement is even more relevant.

As General Counsel, you should be an active member of your company’s cybersecurity team. Other team members may include your chief information security officer, chief technology officer, and chief compliance officer. If your company has a smaller footprint, a human resources representative, C-suite staff, and an intellectual technology representative should also be included on your team.

A great first step to upgrading your cybersecurity hygiene is to perform a data inventory for your business. This will map, among other things, what data you have, where it is (either internally or with a vendor) and who has access to it. Next, consider performing a risk assessment to assess the costs and benefits of how you manage your data and to identify vulnerabilities in how the data is secured. Throughout this process, consider using additional protective measures to reduce your risk. This assessment should be documented and updated as your data management and business operations change.

Once the risk assessment is complete, you can advise your company to implement a written information security program (WISP) or update your current one. Creating and maintaining a WISP signals your company’s commitment to cybersecurity. Typically, a WISP should contain your risk assessment, along with these plans and procedures:

  • Critical Incident Response Plan (CIRP). A CIRP allows you to effectively prepare for and respond to a security incident in your business. It should include your:
    • Security Incident Detection and Identification Framework
    • Methods of forwarding incident communications to your response team
    • Summary of notification obligations, including those of your insurance policy and contracts with customers, suppliers and business partners
    • Contact list for external forensic experts and outside attorneys (don’t get caught negotiating service contracts in the middle of an incident – you don’t have time)
  • Retention Policy. A retention policy creates a schedule for disposing of data when there is no longer a legitimate business need. Not only are retention policies required by some laws, but they also reduce the amount of data a company holds and therefore the potential damage from a data breach. These policies should clearly document:
    • What data falls under the policy
    • How long data should be retained
    • What specific disposal methods are acceptable

A risk assessment should be performed and documented when determining the retention period for relevant data.

Pre-planning for a cybersecurity crisis is just as important as planning for a natural disaster. Rehearsing your response and performing annual updates to your company’s WISP is key to minimizing the impact of a security incident.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: US Corporate/Commercial Law

FinCEN Releases Proposed Beneficial Ownership Rule

Morrison & Foerster LLP

On December 7, 2021, the Financial Crimes Enforcement Network (“FinCEN”) published a Notice of Proposed Rulemaking (NPRM or “Proposed Rule”) to implement beneficial ownership information

Paper debunks seven ESG myths

Cooley LLP

As we anticipate new proposals from the SEC on human capital and climate disclosure, this recent article from Stanford’s Rock Center for Corporate Governance, Seven Myths of ESG, seems particularly timely.