As National Data Privacy Day approaches on January 28, we're sharing six data security and privacy action items to focus on in 2024. The start of a new year is a great time to check your company's overall cybersecurity and privacy health and address any problems early in the budget cycle. These tips should help ensure your company's data security and privacy policies are kept safe throughout the coming year.

1. REVIEW YOUR WRITTEN INFORMATION SECURITY PROGRAM AND IMPLEMENT CHANGES

Maintaining sound information security practices is not just a good business practice, it's the law. Several states, including Massachusetts, require companies to review existing Written Information Security Program (or WISP) annually. After analyzing current policies, consider whether program updates and changes are warranted by implementation of new threat protection technologies, any company breaches and near misses, any vendor breaches and near misses (such as the MoveIt software breach, used by payroll vendors, that affected 60-plus million users), expansion of business to include non-US customers and users and accompanying non-US data requirements, changes in breach or business risks that merit procurement of data insurance or increases in coverage limits, among other factors.

2. DEVELOP OR REVIEWAN INCIDENT RESPONSE PLAN

Given the high frequency of security incidents affecting companies of all sizes, companies should strongly consider developing, maintaining and annually updating a response plan. A sound plan should provide guidance on key issues that will arise from security incidents and reportable breaches.

3. CONSIDER ADDITIONAL PROTECTIONS AGAINST RANSOMWARE 2.0 ATTACKS

In addition to "traditional" ransomware attacks that encrypt key company files and demand a substantial payment for the decryption key, threat actors have evolved their strategies to become more harmful. These attacks are focused on moving within the company network to identify and exfiltrate sensitive business or employee/vendor/user personal information that can be used to threaten the company into a substantial payment in the common case where a shutdown alone is not effective. In addition to maintaining tools that can deter unlawful network entry and securing accessible backup networks than can be activated in an emergency, consider implementing tools to identify and shut down exfiltration and remediate potential attack points (such as the exploit targeting the Citrix remote connection program used in several recent attacks).

4. REVIEW AND MODIFY YOUR PRIVACY POLICY

Consider expanding all company security policies to address non-US requirements where warranted by business opportunities. Also, pay attention to new requirements that may apply to the company privacy policy. An increasing number of states – including Connecticut, Delaware, Tennessee and Virginia, plus several western states – have followed the lead of California, requiring companies to either implement privacy policies containing minimum requirements or adding new requirements to existing privacy policies. The new requirements differ from state to state, so it would be best to determine the scope of states applicable to your business and implement mandated requirements accordingly.

5. STAY CURRENT ON USE OF SECURITY VENDORS AND CONSIDER CHANGING UP APPROACHES

As a best and sometimes required practice, companies should periodically retain outside vendors to review and test the effectiveness of company security-related technologies, practices and policies, as well as reviewing and prioritizing lists of measures that may merit adoption in future years or budget cycles. Companies also may want to mix it up with alternative approaches, such as penetration testing or anti-phishing testing or training.

6. REFRESH ANDREINVIGORATEANNUAL STAFF SECURITY TRAINING

Savvy and compliance-focused companies should provide staff security-related training annually, at a minimum, and, in many cases, promptly after a significant security incident. Every company should focus attention on annual training and ensure that training is updated to include key issues faced by the company or the marketplace in 2023, such as ransomware 2.0 developments and the recent increase in business email compromise and payment fraud.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.