If you don’t have to keep it, don’t keep it. If you have to keep it, encrypt it. - Cynthia Larose
What's the one thing every company's data security program must include? That's the question we put recently to experts in the field, knowing that, especially after Heartbleed, the diversity of responses would create an invaluable checklist for all risk managers and corporate leaders charged with the protection of company (and client) data. Here's what we heard back:
1. Ongoing Assessment of Priorities
Effective data security is not a one-size-fits-all concept, and it needs to be nimble so that it can quickly adapt based on your company’s needs, changing technologies, and emerging threats…
From Pat Fowler, partner at Snell & Wilmer: “An effective data security program must include, and arise from, a continuing assessment of the company’s data security needs. The federal government’s new cybersecurity framework would be a reasonable starting point for this assessment. Effective data security is not a one-size-fits-all concept, and it needs to be nimble so that it can quickly adapt to changing technologies and emerging threats. The company needs to establish its priorities for data security – the relative value of the various kinds of data that it collects, maintains or transmits, the risk and liability if such data is lost or breaches – and the assets/resources (financial, technological, human) that it can reasonably commit to meet those priorities. A company’s risk tolerance and various external factors (evolving threats, client/customer requirements, applicable regulatory schemes, industry standards, etc.) also must be included in this continuing assessment in order to have an effective data security program, both today and in the future.”
2. Smart Data Governance
If you don’t have to keep it, then don’t keep it. If you have to keep it, encrypt it…
From Cynthia Larose, chair of Mintz Levin's Privacy & Security practice: “There are two things that relate to 'one thing' – governance of what you have. If you must store personal data on a mobile device, you must encrypt it. Period. There is not a day goes by that we don’t hear about a data breach that is the result of the loss or theft of an unencrypted laptop or other device. Two settlements announced this week involved exactly that and cost the companies involved a collective $2 million. The second “must” also ties to what you have. If you don’t have it, you can’t lose it. Every data security program must include guidance on data destruction, or must dovetail with a separate policy on data retention and destruction. Many of the “mass data breaches” of late could have been minimized if the unnecessary data had been deleted. Just ask the University of Maryland and Iowa State University. If you don’t have to keep it, then don’t keep it. If you have to keep it, encrypt it. A good data security program will provide for both.”
3. An Information Security Dashboard
The discipline of creating, reviewing and modifying dashboards can ignite a culture of continuous improvement within the organization at all levels…
From Tim Banks, partner, Canadian lead for the Privacy and Data Security practice at Dentons: “An information security dashboard is a critical but overlooked element of a data security program. Dashboards counteract information security opacity within the organization. A dashboard will present data in a way that allows senior decision makers to visualize information security risks and track metrics in order to make informed decision and respond to threats. The discipline of creating, reviewing and modifying dashboards can ignite a culture of continuous improvement within the organization at all levels, demonstrating due diligence to regulators. When the organization is in the midst of a crisis or responding to a critical threat, the dashboard tool is already in place to track the organization’s response and report the information in an understandable way for senior decision-makers and public relations specialists. However, not all dashboards are created equal. The benefits of an information security dashboard are achieved when the organization integrates legal requirements, information reporting, and diagnostic and gap analysis. Information without context is not useful. “
4. Appropriate Policies for Third-Party Vendors (Not Just Employees)
Policies should include specific obligations regarding maintaining the confidentiality of nonpublic information and provide for periodic auditing of compliance…
From George Meinz, principal at Gray Plant Mooty: “Data thieves are becoming increasingly sophisticated in their social engineering attacks. One of the predominant types of social engineering attacks is the phishing attack, which has been at the heart of a number of recent data breaches. Third-party vendors have become more frequent targets of phishing attacks as a potential backdoor into a target’s corporate systems. In order to help mitigate the risks posed by these attacks each business should ensure that its data security program contains appropriate policies for both employees and third-party relationships. These policies should include specific obligations regarding maintaining the confidentiality of nonpublic information, provide for periodic auditing of compliance with these policies and a responsibility for enforcing accountability for compliance with those policies. Additional requirements that should be applied specifically to third-party relationships include the adoption of appropriate data security policies that are consistent with the principal’s policies, the liability of the third-party for failing to maintain the security and confidentiality of the data, the rights of the principal to audit the third-party’s compliance with the policies and the use by the third-party of outsourced resources to perform its contract with the principal.”
5. A Meaningful Fix for the Certificate Authority Vulnerability
To the extent some companies do attempt to implement safeguards, it is almost always for internal systems only, which comprise only a small part of the attack surface for the CA vulnerability…
From Steven Roosa, Data Privacy and Security partner at Holland & Knight: “The Heartbleed vulnerability, unfortunately, is just the tip of the iceberg when it comes to problems with SSL/TLS in securing network communications. Specifically, in the wake of the Heartbleed vulnerability being disclosed, every company needs to appreciate the importance of the Certificate Authority ("CA") vulnerability in SSL/TLS and take steps to secure employee mobile devices, the company's public-facing websites and portals, the company's web portal for employees, as well as endpoints and servers the company controls. What is a CA and the CA vulnerability? The SSL/TLS protocols rely on digital certificates and these certificates are typically issued by CAs, who are third parties. Most companies' security architectures unwittingly trust dozens of these CAs, some of which are under the ostensible control of foreign governments, such as China. All of these CAs have the power to compromise the full spectrum of "secure" company communications. Typically, most companies do not guard against this vulnerability, which operates as a designed-in back door and is by far the weakest link in the SSL/TLS ecosystem. To the extent some companies do attempt to implement safeguards, it is almost always for internal systems only, which comprise only a small part of the attack surface for the CA vulnerability. In the wake of Heartbleed and the other media disclosures throughout 2013 and 2014, the time for companies to implement a meaningful fix is now.”
*
