Three data security compliance specialists told a room full of corporate lawyers that companies that handle large amounts of sensitive data should start networking with law enforcement agencies and the data security vendor community immediately.
Erez Liebermann, chief counsel for cybersecurity and privacy at Prudential Financial Inc. (NYSE:PRU), said corporate compliance managers should make a point of participating in and networking with cyber security groups in their communities.
If corporate compliance managers aren’t already talking to the cyber security investigators at the nearby offices of the Federal Bureau of Investigation (FBI), the Secret Service, state agencies, and other state and federal agencies, they should cold call and arrange meetings, he said.
“It’s really important to have those relationships in place,” Liebermann said.
Having good relationships in place may help the law enforcement agencies get a better feel for what’s going on, help a company get a little extra insight into what the agencies are thinking, and pave the way for smoother interactions if a crisis does occur, Liebermann said.
Liebermann and the other cyber security specialists appeared at a session at LegalTech New York, a legal services technology convention organized by ALM, the parent company of LifeHealthPro.com.
See also: Hey: Yes, the NAIC is talking to you
The convention was aimed at law firms and in-house lawyers at companies of all kinds, not specifically at companies that handle large amounts of data subject to the Health Insurance Portability and Accountability Act (HIPAA) privacy and data security standards.
But Liebermann and the other speakers — Ovie Carroll, director of the cybercrime lab at the U.S. Department of Justice, and Ed Goings, a consultant at KPMG LLP — had data security planning and management tips that could apply brokers, health insurers and other handlers of HIPAA data as well as to handlers of other sensitive information.
The speakers said companies should:
Have data security planning sessions focused on information technology and sessions dominated by people from outside IT.
Decide how and when to tell the chief executive officer, board members and law enforcement agencies about cyber problems.
Recognize that, once a breach occurs, the IT part of the response is just one part of the response.
Recognize that letting law enforcement agencies learn about a data breach from a news media report is a very bad idea.
Consider hiring a separate public relations firm, possibly through outside counsel, for cyber crisis communications. Structuring crisis public relations that way could increase the odds that the arrangement will get attorney-client privilege protection, Liebermann said.
Have internal teams, outside vendors, and, if possible, different outside vendors test system defenses. Getting fresh eyes on the defenses is important, because even the best teams may miss problems, Liebermann said.
Recognize that hackers are always improving their methods. “Think like the hacker,” Liebermann said. “Continuously transform.”
In other discussions at the session:
Liebermann noted that cloud services vendors often make doing thorough system security assessments difficult.
Liebermann, who spent nine years working in the U.S. Attorney’s Office, said he hopes the new Cyber Information Security Act of 2015 (CISA), which was in the H.R. 2029 package, will help make information sharing between cyberattack victims and government agencies more of a two-way street. In the past, he said, some agencies’ attitude about “information sharing” has been, “I get to play with my toys, and I get to share your toys.”
Carroll said device efforts to sync data may create new, unrecognized forms of security risk, by creating big, obscure databases showing what users looked at, and when, and, often, where the users were when they looked at the information.
Are you following us on Facebook?