Member Article

Tailor-Made: Designing and Implementing a Bespoke Data Security Plan

When you hear the term “bespoke,” you may think suits or dresses, but you should be thinking data security plans. Savvy organizations realize that there is no “one size fits all” approach to data security. Instead, companies must develop individualized data security plans based upon the types of data they manage, the applicable laws, their perceived risk exposure and risk tolerance, and other enterprise-specific factors.

The importance of having a comprehensive data security plan in place cannot be overstated. The U.S. Securities and Exchange Commission recently announced that it will begin evaluating companies’ policies designed to prevent, detect, and respond to cyber attacks in its exam process, and the U.S. Department of Health and Human Services recently fined a dermatology practice for failure to have policies in place that address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. In addition to helping companies avoid regulatory scrutiny, good data security plans help companies prevent breaches and mitigate the fallout if a breach occurs.

In this installment of our special series, A Desk Guide to Data Protection and Breach Response, we discuss how companies can create a tailor-made data security plan to limit their breach exposure. In your plan, you should:

• Identify your information security team. Your data security plan should identify the individuals in your organization who are charged with ensuring information security. Given the various business units that may be affected by a data breach, your team should include personnel from your legal, information technology, human resources, and communications/public relations departments, as applicable. It should also include at least one member of your board of directors, particularly in light of recent derivative lawsuits filed in the wake of the Target and Neiman Marcus breaches, which highlight the board’s responsibility for data security and breach response.
• Implement policies to prevent unauthorized access to your network. A well-developed data security plan should include layers of protection (a “defense in depth” approach) to prevent unauthorized access to your data. For example, your company should have policies that require employees to use strong, complex, unique passwords that they change regularly and cannot share. You should never use generic or default passwords. Your company should also have a bring your own device (“BYOD”) policy or other policies addressing whether, and under what circumstances, employees can perform work using devices that they own (including computers or smart devices). For example, you should ensure that employees’ devices adequately protect confidential data by, among other things, requiring that those devices be password protected. Additionally, you should work with your information technology department and/or information security specialists to ensure that you have appropriate technological barriers (e.g., firewalls and network segmentation) to prevent network intrusion.
• Develop a system for tracking network access. Effective information security requires early detection of intrusions and the ability to identify the intruders. Coordinate with information technology professionals to monitor access to sensitive information and be on the lookout for suspicious activity on your network. Among other things, ensure that your firewall logs are sufficiently verbose that you can determine when an intrusion (or any exfiltration of data) occurs.
• Design effective employee onboarding and exit procedures. Unfortunately, your trusted employees can become the source of a data breach when they leave your organization, especially if they leave to work for a competitor. It is not uncommon for employees to walk out the door with valuable data including customer lists, price lists, product designs, and other proprietary information. Companies may also expose themselves to liability if they do not ensure that new hires do not bring other companies’ proprietary information with them to their new jobs. Your organization’s onboarding and exit procedures should protect against these risks by, among other things, obtaining certifications from new employees that they are not bringing competitor information to your organization, instructing employees to report impermissible use of competitor information, and cutting off departing employees’ access to information systems (including email) and company premises immediately after terminating their employment. Departing employees should be expressly asked whether they are taking any company information with them, and their answers should be documented in writing during the exit interviews. Employers should immediately demand the return of impermissibly taken information.
• Conduct employee training. A data security plan is only effective if your employees are aware of the plan and execute it consistently and effectively. Set expectations that your company takes data security (and unauthorized computer access) seriously. Employees should understand the importance of information security, how they can help to ensure information security, and what to do if they suspect a breach has occurred. Promote awareness and preparation through regular employee training.
• Develop a breach response plan. The most important part of your company’s data security plan is the breach response plan, which (as the name suggests) is a detailed plan that governs how a company should respond to a suspected breach. In our experience, these plans help companies quickly and effectively initiate investigations and remediation of data breaches. Among other things, a breach response plan should identify the leaders of the response team and it should be easy to follow and scenario-based. For example, if your organization is a retailer that manages payment card data, outline the response to a breach that implicates that specific type of data. The plan should also provide for the immediate involvement of legal counsel in all aspects of the investigation (including communications about the potential breach, remediation efforts, and disclosure and reporting) to ensure protection under the attorney-client and work product privileges.
• Conduct regular audits. To understand the risks your organization faces and to prepare for a data breach, you must understand your company’s privacy landscape, including the types of information it collects and retains. You must also understand available risk transfer options, including cyber risk insurance. We discussed the steps to analyze the privacy landscape in our first installment (see here), and we will discuss insurance in our next installment; but regular evaluation of these issues should be a part of your data security plan. A regular audit should also include evaluation of your information security practices and whether your company is effectively following that plan.
  

The parameters of your organization’s data security plan will necessarily turn on the nature of your organization, the types of information it collects, and the regulatory environment in which it operates. Haynes and Boone, LLP advises clients on developing and implementing effective, bespoke data security plans.

In the first installment of our special series, A Desk Guide to Data Protection and Breach Response, we discussed transactional and compliance issues that companies face when it comes to securing their data. In future installments, we will discuss how to obtain coverage for cyber events, investigations of suspected breaches, regulatory actions, fallout litigation, and recovering losses through insurance claims. For additional information on any of these subjects, please contact a member of the Haynes and Boone, LLP Privacy and Data Breach group.