Enterprises overlook legal issues in breach preparedness

Companies preparing for security incidents overlook the legal aspects

law books

Companies preparing for data breaches and cyber security incidents too often focus on the technology and overlook the legal aspects.

In a recent study by Hanover Research, for example, while about 54 percent of companies conducted a cyber threat audit -- but only 33 percent involved their legal departments in the process.

"Companies are more likely to involve lawyers as a reactive measure, after an incident has occurred, rather than as a proactive measure," researchers said in their report, which was based on a survey of corporate law departments conducted on behalf of Indiana University's Maurer School of Law.

This is a problem, because IT or security staff typically focus on physical and electronic security, not necessarily the legal, compliance, or privacy issues of a data breach, said Scott Vernick, the head of the data protection and privacy practice at the law firm of Fox Rothschild LLP, in Philadelphia.

"They won't necessarily be sensitive to or be able to spot the issues that the lawyers are thinking about," he said.

Corporations should bring in legal counsel early in the process, he said.

"The ideal is to have everyone working together," he said.

Vernick said his firm has conducted dozens of privacy audits for mid-sized and large companies.

These audits include identifying the data that a company collects, stores, and transmits, as well as reviewing a company's vendor management program to understand potential third-party impacts on data security.

"Based on the answers to these questions, you can identify legal risk," he said.

For example, most companies have some sensitive information about their employees.

"You may discover that there's a whole lot of people who have access to all employee information that is online or in a database of the company and truth be told, not all those people need access to all that information," he said. "And that risk can be managed by limiting the number of super users with access to the whole database."

But a privacy audit can do more than help a company identify its risks up front and suggest ways to reduce them.

It can also help a company respond to a data breach more effectively, he said.

"It's hard to respond if you don't know where your data is located," he said. "You may think, in the initial hours of a breach, that only X amount of data or only a certain type of data was exposed because you didn't know where all the data was stored."

Many organizations don't have a good grasp on how much potentially sensitive data they have, and where it all is.

[ 5 steps to take when a data breach hits ]

"It can be stored in all kinds of nooks and crannies that people don't ordinarily think about," he said.

Vernick said that, in his experience, retail companies generally have a better grasp on the issue because they're used to dealing with compliance requirements, and healthcare-related companies are catching up.

But, as the recent Sony breach showed, all types of companies are vulnerable, he said. "It's really an issue that applies to everyone."

Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.