As the average cost of a data breach in the United States exceeds $7 million, companies must prepare to mitigate such an incident or close their doors. Appropriate legal and technical preparation can help to reduce the adverse consequences of an attack. Currently, based on the nature of a company's business and the information it collects, a myriad of laws and regulations may apply. Failure to take appropriate steps to adequately come into compliance subjects a business to enforcement actions by agencies, lawsuits from affected consumers and fines from various state regulators.
Compliance with the number and complexity of federal and state cybersecurity laws and regulations is no simple task. As an essential part of a cybersecurity program and before a potential breach occurs, companies need to develop a Written Information Security Policy ("WISP") and create a network of relationships with experts to contact in the event of a suspected breach. A WISP is an internal company document encompassing, among other things, the company's methodologies in identifying, protecting, detecting and responding to incidents. A WISP not only allows a company to identify and address potential compliance issues, but also incorporates legal principles to mitigate damages in the event of an incident. A WISP also provides guidance and procedures to each department on how it should handle information.
As the law develops, WISPs may become an industry best practice. A properly drafted WISP will require that a company's breach response be documented and will be consistent with evidentiary rules. In responding to an incident, a company should know not only the appropriate information to preserve but also, how to maintain that information in an admissible format.
Legal counsel is an integral part of the WISP creation process. Utilization of legal advice in connection with the WISP creates an argument that at least some aspects of the process are shielded from disclosure in litigation because of the attorney-client privilege or attorney work product doctrines. If legal counsel played no role, information provided to a company from a computer security professional would most likely be discoverable in litigation.
The generation of a WISP may require the hiring of outside vendors as well as communication with different levels of staff hierarchy. All communications should include provisions explaining that the information is confidential and being gathered for the purpose of rendering legal advice.
Most businesses face complex and growing cybersecurity concerns. Risk management professionals can bring real value to their companies by addressing these concerns and reducing their companies' risks because cybersecurity is not limited to the technology group but requires a top-down organizational approach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
