Our panel for the discussion consisted of three experts in the field, including:
- David Katz (panel host), Leader of the Data Privacy Group at Nelson Mullins
- Bess Hinson, Associate at Nelson Mullins Riley & Scarborough in the Atlanta Office, practicing in the Privacy and Information Group
- Chris Amato, co-founder, as well as Chief of Operations at FactorTrust; most recently was CFO for Premiere Global Services
To kick off the conversation, we wanted to look at why cybersecurity has become such a hot topic—what the causes are of data being more at the forefront of businesses than ever. Katz broke down a few of these drivers:
- Information this century is what oil was in the last one—the hottest commodity.
- Mobile technology, including geolocation, beacons, text data and Siri.
- Commerce is constantly collecting data through customer loyalty programs, finance records, retail purchase data and more.
- The Internet of Things is a newer one but has already made a big impact. This includes Alexa, Nest, fitness trackers and medical devices.
- The government is also impacting data collection, with more court records, legal transactions, licenses and travel documents.
Data Privacy & the Law
With the causes on the table of why data has become such a hot-button topic, we next took a look at the different laws affecting companies that deal in data.
When looking overall at these laws, Katz pointed out two key items: 1) there are tons of laws in the United States at the local, state and federal levels, and these make up a patchwork of laws rather than overall frameworks; 2) these laws aren’t just about how data is stored, but also how it’s collected.
Hinson added that many of the federal laws that govern how businesses collect information are ancient in the grand scheme of technology. She noted the example of the Video Privacy Protection Act—this was created to protect VHS tapes, but it’s now being targeted at tech companies who use YouTube and streaming services to collect information about consumers. Because the laws are so old, state legislators and federal regulators have stepped in to control the conversation.
Personal Identification Information
PII, or Personal Identification Information, and its definition is important because typically the first question that needs to be asked when there’s a breach is: was PII accessed?
Katz broke down the two different ways PII is defined, depending on the level of government:
- States typically define PII as first and last name and one of the following: a personal number, such as a social security number or driver’s license number, OR bank/credit card account number/login information.
- The FTC defines it broadly, causing it to be a moving target. They say it’s any combination of first and last name, home address, email address, telephone number, social security number, bank/credit card account number, driver’s license number, or persistent identifiers, which includes things like internet cookies.
What Risks Breaches Bring
Though PII theft often dominates the conversation when looking at breaches, it’s just one of three main risks. Fraud is another big risk. Katz gave the example of email hackers who got into a company’s Office 365 account and had access to every bit of email. They were able to phish employees and get even more information from them. The third big risk of a breach is sensitive company information, or intellectual property, being taken.
Hinson explained how risks have evolved over the years. Whereas companies used to say, “Well, no social security numbers were taken so there was no breach,” that’s not the case anymore. Because the definition of PII has evolved, it’s not becoming as clear what could be taken when there’s a breach.
Though all companies want to downplay the effects of a breach, Hinson explained you can’t always get away with it. She shared a recent example she saw where a company was breached and account numbers were taken, but PINs weren’t. The company initially didn’t announce it because they didn’t think it counted as a breach, but the state attorney general saw and decided a breach had indeed occurred. In the end, the company had to notify all consumers.
What Laws Affect You
Katz shared something that typically floors companies when they’re breached: the law where your customer resides is the law that you have to respond to.
Massachusetts and California typically have the strictest laws that companies must adhere to, but this is changing thanks to the Equifax breach that was announced earlier this year.
Kentucky is one state that has added new amendments governing how companies must announce breaches, including providing five years of identity theft monitoring and frequent credit reports. New York is also making big waves, with their Department of Financial Services adding new regulations that require companies to have a CISO and report breaches to the state attorney general and regulators with an abbreviated timeline of events.
Hinson underscored the fact that New York, in particular, is adding regulation to make up for Congress’s lack of legislative progress for these items. They recognize their power in the financial world and are ready to hold companies accountable, even if the federal government isn’t. This makes it imperative for financial companies to assess the business ties they have in New York and ensure compliance.
7 Questions for FactorTrust’s COO and CFO
Katz brought Chris Amoto into the conversation with seven quick hitting questions to get his perspective on how data breaches have evolved and the operational aspects companies can have in place to prepare.
- How has cyber security changed in last 5 years? Over the last five years, scrutiny has gone up, which has led to increases in costs and burdens of proving compliance.
- How has the increase in regulations changed business relationships? Early on, there wasn’t as much regulation, you just had to hold to your contract. Today, it’s a spider web where customers, companies and vendors are all auditing each other. 10 years ago there wasn’t as much of that going on.
- How have operational teams joined with legal and compliance to mitigate risks? At my company, the IT team, software developers, legal, and compliance work together. Over the last few years, our Chief Compliance Officer has implemented an EROC (executive risk and oversight committee), which meets once a month to look at ongoing compliance and identify new risks.
- What are good indicators for how companies can successfully balance risks without paralyzing operational teams that are trying to grow? At our company, sales is typically the team that pushes the envelope, because they see many opportunities for using data analytics in a new way. What we’ve seen is, if sales engage compliance early on, we’ll look at if we can do what they want and if we can, how. Sometimes sales doesn’t involve compliance because it slows down the sales cycle, but then when compliance does eventually get involved, sales might have to go back to the client and say we can’t do what was promised, which is a bad outcome for everyone.
- What differences are there between the way tech companies approach data security versus more regulated entities? Tech companies don’t always deal with consumer data, so that affects how they have to be concerned. Also, as I’ve moved from the tech sector to the more regulated financial services side of business, there’s been a leap, particularly recently, in regulatory scrutiny.
- A company might have good security protocols, but employees aren’t always following these. How can this disconnect be fixed? There has to be a top down approach to compliance. Our CEO is involved in messaging about security threats; we do formalized training regularly, and there are anonymous training programs with fake phishing attacks to show how easy it can happen.
- If you could give one piece of advice to a CFO that’s working to come to terms with evolving cyber risks and legal components, what would it be? It’s easy to get caught up in checking boxes and making sure you’re complying with the form of things, but if you’re not focused on realized threats, you might get lost and miss real risks.
Incident Response: What to Do
Hinson came back into the conversation to cover her specialty: how companies should react to incidents when they do occur. She explained that in many cases because companies use third parties to store data, you have to rely on them to tell you there was a breach. Because of this, any vendor you use should have a solid timeframe that they would alert you within if there was a breach. That timeframe is preferably less than 24 hours after the breach if not 12.
Time is of the essence when breaches occur due to notification requirements. Statutes require you to notify affected consumers as soon as 30 days after the discovery of a breach, and in some states, you have to notify the attorney general within 14 days.
In order to respond to the incident, Hinson shared the general steps you should follow:
- The first step is to discover you had a breach.
- Once you know there was a breach, immediately evaluate if the incident rises to the threshold of notification. Typically this involves bringing in a third party forensic investigator and employing them through your attorney (this way the investigation is covered by attorney-client privilege).
- You need to draft up communications for affected consumers and be aware that these are required to include certain information based on state laws
- Notify regulators.
- Know that the likelihood of recovering information/money lost through phishing is low.
Katz added to Hinson’s break down by reminding everyone that many companies are the third party and need to be making their customers aware of any breaches. If that is the case and a breach does occur, you should do what you can to help your customer in order to protect your business relationship. However, your assistance has limits; for example, if you are a third party you should not be communicating with regulators or consumers on behalf of your client. This helps protect you from any liability while you are helping them.
And, Katz said, if there is one thing you take away from this information: it’s a good idea to run your employees through a data breach scenario and see what the reactions are like, so you know how prepared you really are.
Guarding Against Data Breaches
There is no possible way to completely guard against a data breach, but there are common sense steps that you should make sure your company is taking.
—Katz advised that there should be layered protection around your data. In terms of access, the networks and applications that are used, the physical environment, and operations, each of these should have a separate protection. Because this can get complicated, many companies have started streamlining by removing CIOs and tying that function directly to the CFO.
—Forms of protection around these different layers are important, but Hinson also pointed out the importance of making sure employees are prepared. We often take for granted communications we receive, but many hackers will gather information and start sending fraudulent emails or texts, asking for wire transfers as if they are a coworker or client. This makes training extremely important.
—A final important step to take is making sure your company has cyber liability insurance. When a data breach occurs, there are two different levels of expenses and you should be covered for both: your first party expenses which are crisis mitigation expenses, and then third-party expenses, which is what’s going to be filed against you.
All of the above are important, but a simple checklist for making sure you’re doing all the things you need to in order to prevent a data breach would be:
- Making sure you have good information protection.
- Starting data management committees within your company.
- Making sure you’re regularly assessing risks.
- Training your people over and over again.
- Having the proper corporate policies and procedures in place.
- Making data a toxic asset. Look at it as a risk, and figure out what you have and how much it would affect you if it was accessed by the wrong people.
From the Audience
During the panel discussion and at the very end, we heard from a few audience members, all of whom brought up excellent questions and points.
Q: My company has no PII in our company system, but we have 401K info, employee info, and we depend on providers to have adequate security, so what do we need to make sure we’re doing?
A: A lot of companies have major questionnaires for providers to understand how the provider is storing information, so use those. Also, look at certifications for assurance, and look at agreements and make sure providers aren’t limiting liability.
Q: A lot of companies can’t afford a CISO. How do you make the decision to outsource?
A: It’s all about balancing costs. You just need to find the cost factor of what’s cheapest and best for your company.
A final word of caution from one of the audience members: The issue with calling data a risky asset is you might be less likely to use it, but that’s not how it should be. Make sure you don’t strangle your ability to collect and use data in productive ways because you’re afraid a breach might occur.
Thanks to all for joining us, and we look forward to seeing you in the New Year!