Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

February 2020
CyberInsecurity News has merged with TAG Cyber. We will continue to bring you news lawyers and their colleagues need to know, only now as part of a growing leader in this exciting field. 
Two recent reports from the feds—one on cyber security and one on privacy—really do deliver.

By David Hechler
IN JANUARY, THE FEDERAL GOVERNMENT RELEASED TWO DOCUMENTS designed to offer companies guidance as they struggle to achieve cyber security and resilience while maintaining privacy policies that are both compliant with regulations and responsive to the needs of consumers. The documents weren’t presented as belated holiday gifts, or New Year’s resolutions, but they could have been.
     The first addressed privacy and was prepared by the National Institute of Standards and Technology (NIST). The second, on cyber security and resilience, came courtesy of the Securities and Exchange Commission. Let’s start with the more recent.
     In a press release dated Jan. 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) introduced its “Cybersecurity and Resiliency Observations.”  OCIE Director Peter Discoll summed it up this way: “Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operation resiliency.” They wanted to publish these observations, he explained, “in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
     This was the office’s first effort to address this topic, and the guidance amounts to a 10-page summary of best practices. It won’t be a revelation to lawyers steeped in this field, but it’s much more than a quick checklist. Because the entire report is presented as observations, without the clutter of justifications or analysis, it covers a lot of ground. And it does so clearly and succinctly.
     The topics covered include governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.

Guidance with Depth
The two areas discussed at greatest length are data loss prevention and incident response and resiliency. Neither is given a once-over. Data loss prevention begins with establishing a vulnerability management program, the guidance says. Then monitoring and controlling perimeter security, detecting threats and intrusions, and establishing the ability to capture and retain system logs. Maintaining an inventory of equipment—hardware and software—is essential, as is establishing a software patching program; encrypting data; segmenting networks; monitoring insider threats by tracking unusual behavior; and conducting penetration tests.  
     The incident response section goes into even more detail. It considers the multiple plans a company may require to counter different kinds of attacks, the procedures that should be outlined in its plans, the employees who will carry them out, and the testing involved in improving them, which often involves tabletop exercises. It also addresses the reporting requirements after a cyber incident or event. And then it gets into resiliency—especially preparing for business disruption, ensuring that backups are offline and considering the benefits of cyber security insurance. 
     The document closes with a section on additional resources. Here it mentions the value of working with government entities, like the Cybersecurity and Infrastructure Security Agency. Though it renders CISA’s name imperfectly, it commends the agency for sharing valuable cyber threat information. And it also offers a hat tip to NIST for the Cybersecurity Framework it published in February 2014, which is still cited and used all the time.

Creating a Privacy Program
And that brings us to NIST’s new publication, which is very much a companion piece to the earlier one. Released on Jan. 16, it’s called “Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” It’s a lot heftier than the SEC’s offering: 39 pages with charts, tables and footnotes. If the SEC guidance was like a detailed checklist, this is a “how-to” document that describes in detail how to build a privacy program. It resembles the Cybersecurity Framework in both its approach and structure.
     It’s designed to be “widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction,” the guidance notes. It helps companies manage privacy risks by taking privacy into account as they “design and deploy systems, products, and services that affect individuals.” It also helps them talk about their privacy practices, and encourages them to foster collaboration across the workforce.
     In sum, a privacy framework is built from three components. First is the Core, which consists of privacy protection activities and outcomes that enable a dialogue about managing privacy risks. Next come Profiles, which are the functions, categories and subcategories from the Core that an organization has to prioritize to help manage privacy risk. These allow the company to define what kind of privacy program it’s aiming for. Finally, Implementation Tiers allow employees to communicate as they decide whether the company has the processes and resources to accomplish its goals.

This Could Get Complicated
The document goes on to examine some of the challenges firms may confront as they develop privacy programs. For example, assessing a business’ privacy risks may be more complicated that it initially appears. It isn’t always easy to distinguish privacy risks from compliance risks. An assessment may reveal that a company is fully compliant with all laws and regulations. Yet its policies and procedures may still create problems for individuals. Those could be anything from feeling embarrassed to feeling discriminated against to suffering economic loss. Any of which could have serious consequences, if customers lose confidence in the company as a result. These issues may have legal, business and also ethical repercussions.
     As the guidance notes: “Although there is no objective standard for ethical decision-making, it is grounded in the norms, values, and legal expectations in a given society. This facilitates optimizing beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole, as well as avoiding losses of trust that damage organizations’ reputations, slow adoption, or cause abandonment of products and services.”
     The remainder of the article describes in detail how to use the components NIST laid out, and how to pull all the pieces into a corporate privacy program. At the very end, it even discusses ways to assess and manage privacy risk within a business’s ecosystem. How do its policies and practices mesh with those of its subsidiaries, service providers and the manufacturers it relies on? A thorough analysis along these lines may even influence a company’s buying decisions.