The Case for Lawyer-Supervised Privacy Programs

The time is now for corporations and their lawyers to take steps to address information security. As we approach the end of 2015, we are on notice of the importance of this issue, yet almost no one is adequately addressing the risks of data breaches. Between civil and regulatory actions and other losses, data breaches cost companies billions of dollars each year.

People, Things, and Processes Needed

To protect itself a business should establish a lawyer-supervised privacy program. Once the lawyer or law firm is selected, the next step involves identifying the other professionals needed for the program. First, identify a forensic information technology (IT)/data security expert. These experts differ from network administrators who focus more on making information systems work rather than protecting data.

The next member of the privacy team should be a cyber insurance expert, well-versed in newly available insurance products. Cyber liability insurance coverage has no standard forms and potentially significant gaps in coverage. Your cyber coverage must be examined along with commercial general liability (CGL), directors and officers (D&O), errors and omissions (E&O), advertising and media, intellectual property (IP), professional liability, and other polices to identify any uninsured gaps or important limitations in coverage. Risk mitigation techniques or loss-spreading strategies must manage the risks of these shortfalls.

These outside experts need to work with senior management and internal stakeholders such as IT and human resources (HR). The internal stakeholders should form the Privacy and Information Security Committee, which is responsible for formulating privacy policy and implementing a response plan.

Once the committee is established, the focus moves from people to things.This involves software and hardware designed to protect electronic information assets including, but not limited to, personally identifiable information (PII) and personal health information (PHI). Firewall, antivirus, anti-malware, encryption, and physical security measures are examples of barriers to limit unintended disclosure of information assets.

Besides people and things, perhaps the most important aspect of a successful privacy program is process. Privacy needs to integrate into the core of the company. A privacy program is not a once-and-done proposition; rather, it needs to become an evolving aspect of responsible management. To the extent that a company can sustain reasonable and prudent protections for private information, the company ultimately will save money, keep the trust of its customers, and benefit from a competitive advantage.

Outline of Common Issues and Approaches

• Start your privacy program development now and make it your goal to be in process by the next quarter. Starting from scratch, it will take 12 months to get a baseline privacy program in place. Devote time each month to avoid biting off more than you can chew and allow for flexibility.
• Write your version of a policy statement to govern your program.
• Make one person answerable to management for privacy and authorize them to act.
• Designate a chain of command, in case a senior privacy leader is not available.
• Map your IT infrastructure to include an inventory of every device with electronic memory (e.g., smartphones and servers).
• Map your data. Locate all electronic and paper copies of PII and PHI. Don’t forget mobile devices, voicemail, scanners/copiers. Consolidate and encrypt private information and limit access to those who need it.
• Adopt privacy by design principles. If you don’t need the data and you are not required to keep it, dispose of it in a reliable manner.
• Identify all outside persons or entitles with access to your network, including archive and software as a service (SaaS) providers.
• Develop vendor criteria and protocols. Don’t approve vendors that cannot certify insurance, data security, and privacy compliance.
• Require defense and indemnity contracts to cover a data breach or accidental loss of PII.
• Create a written bring your own device (BYOD) policy for the use of employee-owned devices, such as smartphones and tablets. These should be encrypted, and companies should consider software that allows company-owned information to be reliably separated from personal communications.
• Determine if it is required or desirable from a business perspective to obtain certification on data security compliance, such as for the payment card industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO), or National Institute of Standards and Technology (NIST).
• If a merger or acquisition is considered, establish a privacy-compliance, due-diligence protocol to avoid buying another company’s data breach or privacy law violation.
• Establish, supervise, and improve training programs for all categories of employees.
• Review HR policies and employee monitoring.
• Develop, train, and test a data-breach response program.

Starting a lawyer-supervised privacy program is not an option for some future point in time. If you start now, you can have an excellent program working to protect your company by this time next year. There are many resources to get started and make it happen.