February 4, 2019
The likelihood that your organization will suffer a material data breach in the next 2 years is nearly 28%, and that’s higher than last year’s risk according to The Ponemon Institute’s 2018 Cost of a Data Breach Study: Global Overview.
Counsel’s best strategy is to insist on a strong organizational plan to quickly and effectively respond to breaches and, ultimately, prevent them in the future. The consensus of counsel and compliance officers is to employ best practices at all times, which means that counsel must:
o new and current employees are trained in identifying and responding appropriately to phishing or social engineering attempts and SQL injections; and managers are expected to emphasize the importance of compliance to employees.
This effort may seem unnecessary to those who aren’t attorneys. It’s absolutely necessary since all written or oral materials, such as data, assessments, recommendations, etc., prepared by or for an attorney in the course of legal representation are protected from discovery and disclosure in an adverse action. This protection should encourage organizations to conduct routine assessments to prevent future breaches.
Unfortunately, written words don’t suffice. Counsel must extend its compliance oversight to third parties’ operations through routine assessments. The results of assessments must also be protected through privileged communication and work product efforts described above. It’s therefore critical that counsel work closely with counsel who represent third parties. Remember, a third party’s breach is your breach.
o law enforcement, whether it’s your local police department, the U.S. Federal Bureau of Investigation (FBI), Secret Service or the Postal Service;
o data owners, whether employees, customers, vendors, to satisfy their need to understand and assess their exposure and to determine their course of action;
o regulators, where necessary, at the state and federal level; if the breach involves protected health information, then report the breach to the U.S. Federal Trade Commission (FTC);
o with the public, as appropriate.
The organization’s statements must comport with attorney-client privilege and attorney work product claims that may be made and, consequently, counsel must control the communications with all parties. This, no doubt, requires significant coordination with many others and ongoing evaluation of what may happen in the future.
How do you assess your company’s compliance program? Ignyte can help you assess your risk before you’re in rapid response mode. See www.ignyteplatform.com to take your first step.