20141117-NEWS--31-NAT-CCI-CL_--
11/13/2014
9:59 AM
Page 1
LEGAL GUIDEBOOK
ADVERTISEMENT
November N ovee 17 – 23, 2014 L9
The Human Element of Data Security and Privacy Compliance By Aaron Mendelsohn
data management practices in order to identify risks and better protect their ver the past two years there employer’s critical information. Often considered the “weakest linkâ€? has been increased focus in the mainstream media and business world in the protection of critical information, on data security and privacy. With employees need to be properly trained the NSA revelations brought forth by and educated by employers to understand Edward Snowden last year and a string what to do with the information necessary RI KLJK SURÂżOH GDWD EUHDFKHV LQYROYLQJ to perform their job duties, and what rules consumer personal data such as Target, and policies are in place to protect it. It’s Home Depot, and most recently, not enough for an organization to simply JPMorgan Chase, issues surrounding post an acceptable use policy or privacy the protection of data have become a policy. Employers should be training their national talking point. But what is often employees regularly to understand how overlooked in the national discourse to properly process, transfer, and store the on data security and privacy is the company’s information, and to be able to importance of educating and training identify data security risks and popular employees to better understand proper attack vectors.
O
Basic employee training should include information about how to securely transfer data, whether to another employee, a vendor, Mendelsohn or to external media such as a USB drive or external hard drive. It must also include information about popular data security attacks and risks such as phishing attacks, social engineering, smash and grabs in parking lots to steal laptops, and the use of unapproved webmail and consumer cloud storage sites. Further, training must also provide information on how to report suspected data breaches
to the appropriate company contacts. Companies should also consider some HQKDQFHG WUDLQLQJ WR VSHFL¿F IXQFWLRQV like IT and HR that regularly process critical information and personal data, and senior executives that are vulnerable to targeted attacks. Not all companies will need the same level of training, and much of the content will be WDLORUHG WR DQ RUJDQL]DWLRQœV VSHFL¿F needs. Companies should always contact their legal professionals for advice on how to put into place effective employee training. Employee training for data security and privacy is not a one and done deal either. It’s an ongoing process where new employees are trained upon hiring,
and then the entire organization receives annual refresher training. And employee training must be part of a larger data security and privacy framework that includes proper policies, and organizational and technical controls But it all starts with your employees, and with an educated workforce an enterprise will begin to properly protect itself from the data security and privacy risks facing businesses today. Aaron Mendelsohn is an associate in the 3iP Group where he practices in the areas of technology transactions and data security, privacy and data/document retention. Contact him at 216-363-4635 or amendelsohn@beneschlaw.com.
Information Governance: What Every “D&O� Needs to Know By Brent M. Buckley
understanding of the company’s cybersecurity protocols for preventing FRUH GXW\ RI GLUHFWRUV DQG RI¿FHUV and responding to a data breach. (Ds&Os) is to protect corporate 'V 2V VKRXOG DOORFDWH VXI¿FLHQW assets, and those of company business time on board and corporate meeting partners. This includes protecting agendas to review cybersecurity, and FRQ¿GHQWLDO LQIRUPDWLRQ UHSXWDWLRQ DQG evaluate what steps have been, or need goodwill. And it requires oversight of to be, taken to manage cyber risks. It management to develop systems that is then that Ds&Os should determine LI VSHFL¿F F\EHUVHFXULW\ LQVXUDQFH LV identify, mitigate and manage risks. While Ds&Os are not required needed and whether it is adequate to to have a detailed understanding of cover possible expenses to the company technology, they should have a direct if a data breach occurs.
A
Cybersecurity insurance typically covers expenses for (i) business interruption, including lost revenues from network disruption; (ii) Buckley “eventâ€? management, LQFOXGLQJ QRWLÂżFDWLRQV OHJDO SXElic relations and electronic data loss; (iii) cyber extortion/ransom, including investigation and reimbursement of expenses to assure continuity of
operations; and, (iv) network security and privacy, including the defense of claims, and payment of settlement and damages. In addition to insurance protection, the documentation and audits that insurers require provide an opportunity to implement prevention measures, along with loss-detection and reporting systems. It has been estimated that nearly 90% of “corporate assets� are now maintained on an electronic platform and therefore are susceptible to a tech/
cyber crisis. While it is not easy to prove the legal duties Ds&Os have for protecting electronically stored information, some claims are starting to succeed. And, aside from litigation concerns, even a court victory will not remedy reputation, operational or enterprise damage. Brent M. Buckley is the managing partner of Buckley King. Contact him at 216-685-4801 or buckley@ buckleyking.com.
The Ohio Chapter of the Legal Marketing Association (LMA) is pleased to partner with Crain’s Cleveland Business on its 2014 Legal Guidebook. LMA is an international not-for-proďŹ t professional organization and the universal voice of the legal marketing and business development profession. It serves as a forum where CMOs and specialists at all stages of their careers from ďŹ rms of all sizes can join with consultants, vendors, lawyers, marketers from other professions and marketing students to share their collective knowledge to beneďŹ t themselves, their employers and their clients. THE AUTHORITY FOR LEGAL MARKETING
www.legalmarketing.org/ohio
LMA’s Ohio Chapter consists of over 100 members in cities across the state. To learn more about our chapter, upcoming programs and ways to get involved, please contact president ERIN HAWK at ehawk@porterwright.com or 614.227.1983 or president-elect and membership chair JENNIFER SHANKLETON at jshankleton@brouse.com or 330.535.5711.