"Once More Unto the (Data) Breach: Combating Cybersecurity Issues Under ISO Standard 27001"
Yahoo. Marriott International. eBay. Equifax. Target.
Some of the largest companies in the United States – and the world, for that matter – have suffered data breaches over the past decade. These breaches typically involve an outside, third-party actor illicitly breaking into the database of a company and stealing information varying from names, e-mail addresses, dates of birth and telephone numbers to passwords, security protocols and credit card numbers.
In response to these high-profile breaches, many states, including New York and California, have enacted regulations to increase cybersecurity awareness and protections. Perhaps more famously, the European Union enacted the General Data Protection Resolution (GDPR), which went into effect on May 25, 2018. All of these regulations are extremely far-reaching, as they apply not only to businesses located in these states or regions, but also to service providers that work with companies or have the sensitive personal data of residents in those areas – whether or not those providers are physically located in those states. Put mildly, the impact of these new data protection regulations is enormous.
Issues related to the protection of customer and client data are not limited to large, multi-national or multi-state commercial corporations, however. Rather, data protection issues are also particularly acute for professional services practices (such as attorneys, doctors, and accountants), which typically do not have the resources that their large corporate counterparts have to invest in cyber-security. These practices are particularly interesting targets for hackers, since they maintain a significant quantity of sensitive personal information and data in a confined space, but typically do not have extensive cyber-security protection of the data.
Purchasing cyber insurance coverage can be part of the solution for most professional services practices. These policies typically provide both first- and third-party coverage in the event of a cybersecurity breach. The first-party coverage will help the business itself respond in the event of a breach. The benefits provided may include reimbursement for lost income or profits while the data breach is being remediated, coverage for the costs of informing clients that the breach occurred, or even paying ransom costs to a cyber-extortionist. By contrast, third-party cyber-insurance provides coverage to the insured for potential claims filed by clients whose data or privacy rights have been breached. The third-party coverage will often include the costs of defending a lawsuit or even paying for a settlement or judgment rendered against the company.
In terms of the day-to-day protection of client data and in an effort to adhere to the growing number of regulations governing data protection, there are many cyber security standards that businesses can utilize. One of the best-known of these are the information security specifications set forth by the International Organization for Standardization (“ISO”), known as ISO standard 27001. Companies or organizations seeking to enforce controls and implement “best practices” with respect to information security may seek to become certified under the ISO 27001 standards. The certification process involves the performance of an audit by an outside company and, ultimately, certification by an accredited body. Certification must then be renewed annually via an audit process, which may reveal non-conformities or opportunities for improvement, which must then be rectified in a timely fashion.
The ISO certification process begins with the identification of the business’s objectives in seeking to protect its data and information. However, the ISO 27001 standards do not simply prescribe a one-size-fits-all set of rules and regulations applicable to all companies and businesses. Indeed, one of the key features of an ISO 27001-certified policy is the establishment of an information security management system, or ISMS. The ISMS prescribes policies and procedures for the protection of electronic data and information by the business, and includes security protocols or controls subject to established requirements tailored to and created by the business itself. This is somewhat governed by the nature of the business; law firms and hospitals, for example, have different threats and should have different protections.
The ultimate goal of the ISMS adopted by any business is to identify and control (or, in the parlance of information security, “assess” and “treat”) the risks presented to the company’s information. For instance, a business might be faced with the relatively mundane question of how long each employee’s computer screen should be left on, if at all, while the user is away from his or her desk before the system defaults and locks to the screensaver so that an unauthorized user cannot access the workstation. Other, more complicated questions may also arise, such as whether, or to what extent, an outside vendor may be permitted access into the business’s computer system.
In order to evaluate any risk that might arise, the business, through committees established specifically for the purpose of considering the unique issues presented for information security, will consider how to deal with a particular threat. In some cases, the risk will be deemed too hazardous and will be rejected. In other circumstances, the risk will be accepted and recorded accordingly. The ISO 27001 standards require strict adherence to and documentation of the process and results of the assessment of any risks posed to information security, as well as clear recordkeeping of the decisions reached for the treatment of the assessed risks.
A successful ISMS under ISO 27001 also demands the creation of a definable process for reviewing and assessing potential violations. In the event of any failure to conform with the ISMS, ISO 27001 mandates that the corrective actions taken by the business must also be notated so that the auditors can review what has transpired.
The creation of an ISMS by a business or organization requires the allocation of significant financial and human resources. On the personnel side, a designated chief information security officer (“CISO”) must be appointed. That person will have the ultimate responsibility for ensuring adherence to the established policies and procedures. In the event of a violation, the CISO must investigate and document the issue and, if necessary, elevate the issue to either or both of a risk management committee for determination. Management must also be involved with the ISMS process. A committee should also be formed to ensure that the business is complying with its ISMS.
Data security is indeed one of the most daunting issues facing businesses today. Becoming certified under the ISO 27001 standard, and having a governing ISMS, are substantial steps towards creating a culture in which employees proactively and consistently take steps to protect key information. To the extent a business wishes to learn more about the accreditation or ISMS process, accredited professionals are available to help shepherd along the process.
Todd J. Leon is a partner with Hill Wallack LLP, with offices in New Jersey and Pennsylvania. Hill Wallack is the only New Jersey-based firm with the ISO 27001 certification.