{"id":238,"date":"2019-07-15T21:19:37","date_gmt":"2019-07-16T03:19:37","guid":{"rendered":"https:\/\/www.jcolvinlaw.com\/?p=238"},"modified":"2019-07-22T12:13:41","modified_gmt":"2019-07-22T18:13:41","slug":"what-to-tell-the-board-of-directors-about-security-and-privacy","status":"publish","type":"post","link":"https:\/\/www.jcolvinlaw.com\/?p=238","title":{"rendered":"What to Tell the Board of Directors About Security and Privacy"},"content":{"rendered":"\n<p>Recently at a conference I had the honor to be on a panel discussing security and privacy. I was asked to start with the following question: What should we be telling the board of directors about security and privacy? Given the current general state of cyber security I would be tempted to say \u201cBoys and girls you are so screwed!\u201d But seriously, I can condense what the board must know into two main points: 1) Your organization must have <strong>written<\/strong> policies and procedures to reasonably detect and mitigate cyber security incidents, and; 2) Don\u2019t let your technical staff decide what level of risk your organization is to accept.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h1>Written policies and procedures<\/h1>\n\n\n\n<p>It is no longer acceptable to hire\n\u201csmart\u201d people who are supposed to design and implement your organizational\ndefenses. Doing so assumes that the staff you hire really is smart enough and\nthat it is even possible to completely secure the organization information. They\naren\u2019t and they can\u2019t. Every security decision is a balance between usability\nand security. Perfectly designed security is to simply make the information no\nlonger available to anyone at anytime. Obviously, that isn\u2019t going to work or\nyou would be out of business. You must assume that at some point there is going\nto be unauthorized access to information. If this is information for which you\nhave a contractual or statutory duty to protect, then your organization will\nhave breached its contract or broken some law or regulation. It will not help\nyou to simply tell them \u201cBut we hired the smartest people!\u201d There is something\nthat could help, something that might even relieve you of all liability. If you\ncan show that you had the policies and procedures to detect and mitigate <em>reasonable<\/em>\nmethods of unauthorized access and that no one could have stopped such an\nunauthorized access, then quite a few laws and regulations will give your\norganization a pass. Especially, if you can show that you noticed the\nunauthorized access, gave proper notification when required, and made changes\nto reduce the chances of a similar incident. For example, the HIPPA Security\nRule mandates that \u201ccovered entities\u201d must \u201c[i]mplement policies and procedures\nto prevent, detect, contain, and correct security violations.\u201d 45 CFR \u00a7164.308(a)(1)(i).\nIt won\u2019t matter if you can prove that the unauthorized access was something new\nand that no one could have prevented it. The regulation uses the word \u201cmust\u201d which\nunder the law means that you have no choice but to do what follows that word. If\nyou can\u2019t show that you had the policies and procedures already in place, then\nyou will lose the argument and could place your organization in danger of\nsignificant fines and penalties. Similar language is spread throughout state\nand federal regulations. Between companies, such language is also in well-crafted\ndata protection agreements (also called Information Security Agreements).<\/p>\n\n\n\n<h1>Decide what level risk the organization should accept<\/h1>\n\n\n\n<p>With the never-ending array of\nsecurity products and a dizzying set of choices on how to configure them, it is\nno wonder that the board has no idea how the organization\u2019s information is\nprotected. If the decision is left to the technical staff on how to protect\nthat information, then the technical staff is making choices about what level\nof risk is acceptable. This can\u2019t be. But it is not necessary for the board to\nstart learning each security product used in their organization. Start with\nthese questions: 1) What information do we control?, 2) What are the contractual,\nstatutory, and regulatory requirements for protecting this data?, 3) What is\nthe risk to the the organization and to the data itself now and how does that\nrisk change given the suggested security controls applied to the data and the\nsystems that touch it? These are questions that the board should be asking the\nCIO (Chief Information Officer) and CISO (Chief Information Security Officer)\nor whatever the equivalent is for that organization. If neither the board nor\nthe C-level staff knows the answers to these questions, then you have some\nserious work to do and better get to it. <\/p>\n\n\n\n<p>For the board to ignore the impact of never asking these questions or failing to put the organization on the path to answer them, is for the board to be neglecting one of its basic duties. That basic duty is providing oversight for the shareholders. Failure to make reasonable efforts at oversight is how board members get sued and replaced.<\/p>\n\n\n\n<p><strong><em>Joel Colvin has been a security consultant since 1992 and an attorney since 2015. If you would like help in developing your organization\u2019s security policies, please contact him at jcolvin@jcolvinlaw.com.<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What the board must know in two main points: 1) Your organization must have written policies and procedures to reasonably detect and mitigate cyber security incidents, and; 2) Don\u2019t let your technical staff decide what level of risk your organization is to accept.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=\/wp\/v2\/posts\/238"}],"collection":[{"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=238"}],"version-history":[{"count":7,"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=\/wp\/v2\/posts\/238\/revisions"}],"predecessor-version":[{"id":258,"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=\/wp\/v2\/posts\/238\/revisions\/258"}],"wp:attachment":[{"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jcolvinlaw.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}