Cyber Security for Iowa Businesses
November 17, 2015
(This is a summary of remarks made November 3, 2015 by Nyemaster attorneys Amanda Atherton, a litigator, and Michael Dayton.)
Gone Phishing: Mitigating Employee Data Breach Risks, Amanda Atherton
The key to mitigating employee-created cybersecurity and data breach risks is consistently implementing employment procedures throughout the business that clearly spell out the company’s data security policy.
Good policies will instruct employees on acceptable use of email, computers, internet, electronic devices, proper electronic and physical document storage, remote access, wireless communication, removable media, file encryption, and confidentiality, Atherton said.
It is important for everyone in the business, including the executives, to comply with all policies to ensure the highest level of security. It is also important to maintain open lines of communication and encourage employees to communicate any concerns or suspicious documents or emails to supervisors or the IT department.
Sample policies and other useful resources are available at:
Vendor Agreements: Locking the “Back Door” to Your Data,
Most vendors’ top priority is selling their product—what they do with your electronic data, PHI, PII, and other confidential information, is often an afterthought, Dayton said.
As a result, your procurement process, the due diligence and process by which you select your vendors, is more important than ever. It isn’t a matter of simply picking the best provider at the best price. You should evaluate your current procurement process and determine if it meets your needs.
Dayton recommended involving a company’s key stakeholders early on in the procurement process, and collaborating with the legal and IT departments to understand the company’s objectives and the risks involved and to weigh all relevant factors. “You must perform due diligence on the vendor,” he said.
For example, determine whether they maintain adequate insurance, or otherwise have enough money to indemnify you for the potential financial harm that could result from a data breach. Also determine where the vendor is, and where your data will be, located. That can play a significant role in assessing your risk of a data breach and your ability to recover if there is one.
Further, most contracts offered by vendors do not adequately protect your electronic data and information, and potentially expose your business to a data breach and financial harm. Remember this: all contracts are negotiable! Don’t assume you can’t negotiate better terms. With this in mind, negotiate a contract that ideally contains, at an absolute minimum, the following key provisions:
- Confidentiality. You want all information disclosed, produced, communicated, and transmitted by or about you and your business to be deemed “confidential.” You want the vendor to warrant that its use of your confidential information will be limited to purposes that are relevant to providing services to you. All confidential information should be returned to you or destroyed at the end of the term (or earlier if possible).
- Data Security. You will want information and terms spelling out the vendor’s information security program, and how it will protect your confidential information. You may want to consider how system or remote access will affect the security of your data.
- Compliance with Law. You want a provision requiring the vendor to be in compliance with all relevant data security and privacy laws.
- Indemnification and Limitation of Liability. You will want the vendor to defend and indemnify you from any data breaches that result from the vendor’s use and possession of your data. Push back hard on any limitations of liability—these are for actual breaches the vendor caused. Never allow a limitation of liability to cap indemnification.
- Choice of Venue. A vendor’s location and the choice of venue may also affect your ability to recover or obtain protection in the event of a data breach. For example, if the vendor is in Germany, then you might find yourself spending a lot of money to enforce your rights under the contract, especially if you have to travel to Germany (and hire German counsel) to do so.