LAW Best Practices for Protecting Electronic Business Data Companies are under attack from cyber-criminals, hackers and spies. Is your data at risk? C OMPILED BY M ILES Z. E PSTEIN E DITOR , COMMERCE W ITH THE DATA BREACH AT information for cyber criminals. As consultants to determine whether cyber- SONY in the news and their employees frequently communicate any- incidents are covered and/or whether high-value data exposed for thing and everything via e-mail, access you need cyber coverage from a special- all to see—including their clients who to this information could be most detri- ty underwriter. Ultimately, you need to compete for big-ticket entertainment mental to your organization and clients. know your company’s legal rights and contracts—the risk of cyber hacking has Adopt a “if it should never be made responsibilities, and identify which pro- come front and center for business lead- public, it shouldn’t be communicated on fessionals and law enforcement agencies ers around the nation and the world. e-mail” posture regarding all e-mail to contact in the event of a cyber- COMMERCE asked legal experts to rec- communication. breach. ommend best practices for protecting electronic business data, which is Connell Foley LLP Day Pitney LLP increasingly being compromised by By Peter J. Pizzi, Esq., By Michael J. Dunne, Esq., cyber-criminals who know how valuable CIPP/US, Co-Chair, Partner this information is. Is your data at risk? Cyber Security and Data Privacy Group Protecting electronic Callagy Law, LLC information against By Thelma Akpan, Esq. With cyber-crime becoming an all-too- attacks, and the effects of those attacks, real source of potential harm for busi- involves policies and processes, not just While there is likely no nesses, it is imperative that companies technology. Policies and processes must foolproof way for compa- plan for a cyber-attack. The following take many factors into account, not the nies to protect themselves measures help prepare for and protect least of which is the legal framework in against the most innovative and nefari- against such a prospect. First, know which the business operates. Policies and ous cyber hackers, companies must be what data you have, where it resides processes should address obligations able to proactively detect cyber security and who has access to it. Implement the imposed by various state, federal and, at breaches as soon as possible to minimize most rigorous protection systems for the times, international laws, and the poli- the damage in the face of such a threat. most critical data. Next, test your poli- cies and procedures that may be put in Develop a plan. Even the best systems cies and practices under the protection place to obtain certain legal protections need to be actively monitored, so it is of the attorney-client privilege, engag- and advantages. For instance, a business important that a company’s database is ing outside vendors (through counsel) to needs to ensure it has policies and managed by cyber security to be able to attack your systems and point out weak- processes in place to respond to any sus- detect and stop an attack as soon as nesses, allowing you to make improve- pected security breach as required by possible. A company should do this by ments and enhancements where need- applicable law. It should also have poli- creating or improving upon existing ed. Remember, no system is foolproof. If cies, not just technology, that set clear policies, including the use of data you don’t have a cyber-incident boundaries on employee and third-party encryption; employee training; limiting response plan, make one and test it. access rights. Well-drafted access policies sensitive data to only those who need it; Conduct a real-time exercise with man- may assist in asserting both trade secret the implementation of security software agement to simulate the handling of a claims and claims for violations of the on all devices; and instituting policies on cyber-attack. Consider improving or federal Computer Fraud and Abuse Act. how to choose and when to change enhancing your data policies and prac- Similarly, well thought out and imple- passwords, among other in-house and tices, including password hygiene and mented policies on passwords—and the outsourced policies and programs. Most retention policies, and your practices for use of tokens and other security proce- important, companies should restrict the data control, monitoring, security and dures that are not required by law—can use of e-mail as it is a treasure trove of destruction. Check with your insurance yield significant legal protections. A continued on page 88 COMMERCE • www.commercemagnj.com 86
Recommend
More recommend
