Information Security Policy Development
Information security laws historically were aimed at specific industries (e.g., Gramm-Leach-Bliley for financial companies, etc.) or at particular data types (e.g., personal medical information). But high profile mistakes, new legislation, and aggressive enforcement actions have created an emerging duty to provide “reasonable security.” Key drivers:
- the FTC (through enforcement actions against Microsoft, ChoicePoint, Eli Lily, et al.)
- Sarbanes-Oxley (through regulation of internal controls for financial reporting), Gramm-Leach-Bliley and HIPAA (through a maze of regulations like the FTC’s Safeguards Rule, the Interagency Security Guidance, and the HIPAA Privacy and Security Rules)
- State disclosure laws (e.g., California and the 40 other states that have followed suit)
Whether you are providing reasonable security is a fact-driven question; there is no “bright-line” test. To implement legally effective policies and processes—i.e., those aimed at providing reasonable security—we’ll help you assess:
- the types of data handled by you and by your service providers
- the risks associated with lost, leaked, or corrupted data
- your particular IT environment (technology, management, processes, etc.)
- best-practices employed at your peer companies
- legal requirements for data security, including the applicability of breach notification laws
After the assessment, we’ll work with you to define the boundaries of an appropriate policy (one that satisfies both legal and operational requirements), and work with your legal, IT, security, and operations managers to produce a jointly owned policy with detailed roles and associated training tools.
For incident planning, we’ll help you identify relevant team members (legal, operations, media relations, IT) and build pre-incident liaisons with appropriate law enforcement and ISP representatives. We’ll help make sure that the team members understand the issues and their options
before a security breach, so their decision-making during the crisis is reasoned and effective. If the worst happens, we’ve experience managing the crisis with dispatch, and converting a crisis into a marketing opportunity.
