The likelihood that your organization will suffer a material data breach in the next 2 years is nearly 28%, and that’s higher than last year’s risk according to The Ponemon Institute’s 2018 Cost of a Data Breach Study: Global Overview.
Counsel’s best strategy is to insist on a strong organizational plan to quickly and effectively respond to breaches and, ultimately, prevent them in the future. The consensus of counsel and compliance officers is to employ best practices at all times, which means that counsel must:
- Coordinate with a variety of departments and divisions in the organization to identify and mitigate exposure. Counsel should routinely interact with human resources to ensure that:
o new and current employees are trained in identifying and responding appropriately to phishing or social engineering attempts and SQL injections; and managers are expected to emphasize the importance of compliance to employees.
- Work with cyber professionals to identify and assess risks and measure compliance with the plan all the while ensuring that written data, assessments and recommendations are produced as attorney work product.
This effort may seem unnecessary to those who aren’t attorneys. It’s absolutely necessary since all written or oral materials, such as data, assessments, recommendations, etc., prepared by or for an attorney in the course of legal representation are protected from discovery and disclosure in an adverse action. This protection should encourage organizations to conduct routine assessments to prevent future breaches.
- Protect confidential communications between lawyers and their staff and the client (the organization’s staff and management) under the attorney-client privilege. Everyone in the legal department should mark all sensitive information communicated as “privileged” to resist efforts to compel the company to disclose privileged information either through discovery or testimony in an adverse action.
- Require that third parties, such as contractors and consultants, implement the organization’s compliance program, assess their exposures and mitigate their risks, in the contracts signed by the organization and third parties.
Unfortunately, written words don’t suffice. Counsel must extend its compliance oversight to third parties’ operations through routine assessments. The results of assessments must also be protected through privileged communication and work product efforts described above. It’s therefore critical that counsel work closely with counsel who represent third parties. Remember, a third party’s breach is your breach.
- Communicate with:
o law enforcement, whether it’s your local police department, the U.S. Federal Bureau of Investigation (FBI), Secret Service or the Postal Service;
o data owners, whether employees, customers, vendors, to satisfy their need to understand and assess their exposure and to determine their course of action;
o regulators, where necessary, at the state and federal level; if the breach involves protected health information, then report the breach to the U.S. Federal Trade Commission (FTC);
o with the public, as appropriate.
The organization’s statements must comport with attorney-client privilege and attorney work product claims that may be made and, consequently, counsel must control the communications with all parties. This, no doubt, requires significant coordination with many others and ongoing evaluation of what may happen in the future.
How do you assess your company’s compliance program? Ignyte can help you assess your risk before you’re in rapid response mode. See www.ignyteplatform.com to take your first step.