How to define Reasonable Cybersecurity for your organization
If your organization is hacked, have you considered the legal ramifications of a potential cybersecurity data breach? Let’s look at the Equifax breach. The most recent headline was about the insider-trading charges that were brought against a former employee. He sold stock and options after learning of the massive data breach at the credit reporting agency. What’s next for Equifax?
The problem with the Equifax breach is that the hackers found their way in through a known vulnerability. The entire episode could have been avoided with a simple patch policy. (Have you heard about PREtect?)
According to the National Law Review, Equifax is potentially in Violation of the Fair Credit Reporting Act: As a “consumer reporting agency” under the Act, Equifax was required to “maintain reasonable procedures designed to … limit the furnishing of consumer reports to the purposes listed” in the Act. See 15 U.S.C. § 1681e(a). Consumer plaintiffs are alleging that a failure to fulfill this duty under the Act allowed the data breach to occur, likely requiring experts in the credit reporting industry who are knowledgeable about the standards of information management and measures taken by other credit reporting agencies to maintain data security.
Consider Reasonable Cybersecurity
Shawn Tuma is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas. As someone who works in cyber law on a day to day basis, see his advice below. (Check out his videos here.)
Based on his short but informative SecureWorld interview, Mr. Tuma says that Reasonable Cybersecurity should be defined by each organization. What is reasonable for one company may not be reasonable to another.
Along with Mr. Tuma, we recommend that the journey to define Reasonable Cybersecurity for your organization should begin with a risk assessment. This assessment will help you determine any potential risks that your company may face.
Once your risk assessment is complete, the next step is to create a plan and prioritize to the put those policies, procedure, and tools in place.
To show that your organization has achieved reasonable cybersecurity, you have to take legitimate steps to combat the risks that your company faces. If a breach happens, you will be able to show that you have done what you could to prevent cyber incidents.
Are you checking the boxes?
Many times, we have seen organizations that are looking to purchase a tool or run a quarterly scan or assessment just to check the compliance box. There’s so much more to creating an environment of reasonable cybersecurity than just having the tools in place. Mr. Tuma recommends starting with these fundamentals of cyber hygiene:
- Create cybersecurity policies and procedures
- Training your workforce on those policies
- Create and enforce password policies
- Utilize multi-factor authentication
- Back up your data