Cybersecurity Audits: Finding Your Right Standard

Topics: Celesq, Corporate Legal, Cybersecurity, data security, Law Firms, Legal Innovation, Midsize Law Firms Blog Posts

Getting data privacy and security policies up to standard is an essential task for any company, from financial institutions to on-line retailers. The question is, however, which standards? Here’s where things get complicated, very quickly.

In a Celesq webcast, “Conducting a Data Security and Cybersecurity Audit of Your Organization: What In-House Counsel Should Know,” recorded on January 31, David Zetoony, partner and chair of the data privacy and security team at Bryan Cave LLP, and Art Ehuan, managing director for global risk cyber services at Alvarez & Marsal Disputes and Investigations, spoke of the complexities of becoming compliant with a host of state, federal and international data security standards. Companies have to know which standards apply to their business, then determine how to conduct a data or security audit and evaluation, and that runs the gamut from setting goals to putting practices in place.

There are roughly 300 data security and privacy statutes today, ranging from state regulations to international standards. “The big takeaway here is that there are a lot of state statutes,” Zetoony told webinar attendees. “There’s no one statute or regulation that you can point to and say, ‘That’s it, that’s our standard.’ For most industries, when you talk about data security laws, you have multiple statutes and regulations. And among those, you have to pull out a standard.”

Bryan Cave’s David Zetoony

Data security and privacy issues are becoming more critical, he noted. “It is a risk factor that almost every board is aware of at this point, and that wasn’t true five years ago. They need a plan and a proposal to understand the legal risks and the path forward.”

Most statutes fall into a few broad categories. Greatest in number are breach notification statutes, which require a company to notify consumers and regulators following a security breach. Other categories include disposal statutes (which regulate how a company should dispose of consumer or institutional data) and safeguard statutes (what a company’s obligations are to protect data before a breach occurs).

Zetoony is planning another Celesq webinar on these issues on March 21: “Responding to an FTC Investigation into a Company’s Data Privacy or Security Practices: What Counsel Should Know About the Investigation and How to Respond.”

Each company should assess which statutes apply to their business, Zetoony explained. Take the Gramm-Leach-Bliley Act (GLBA), which applies not only to financial institutions but to essentially any company that extends credit to customers, like a car dealership or retail store. GLBA was “one of the first federal attempts to provide data security regulations on companies, and you see echoes of GLBA in other state and federal statutes,” Zetoony said. A common way that regulators design a new statute is to basically say: “Do we do this like GLBA, or do we deviate?”

Companies should use caution when announcing which standards they’re using. For instance, if a company posts on its website that it follows the International Organization for Standardization 27002 standard, “that statement arguably carries the force of law,” Zetoony said. Because if you publicly proclaim that you’re compliant with a particular standard, but aren’t in reality, that could violate Federal Trade Commission prohibitions against deceptive acts and practices and open your company up to a lawsuit.

Another key decision is how to ensure compliance with a given standard. If this is done to assure contractual partners, a company may want to retain a third-party consultant, because a contractual partner “may not trust an evaluation conducted internally. External parties look for validation that a third party could provide in terms of benchmarking,” Zetoony said.

That leads to a follow-up question: How much information do you provide? If you’re doing an assessment for partners and using a third party, “you wouldn’t want to provide a report that includes a complete network diagram or your entire security infrastructure, [because] if that third party loses or leaks it, that information could compromise your data systems,” he said.