Hackers Are Not the Only Ones Watching - Why You Need a Cyber Security and Privacy Plan
Information security and privacy is at the forefront of the popular and legal landscape. What are you doing to protect your valuable intellectual property and your customer's confidential data? Can you rely on your cyber security and privacy plan to keep these assets safe and meet government scrutiny and pass enforcement?
Cyber security, also known as information technology security, focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction. Computer viruses, network downtime and outages and hackers obtaining unauthorized access to data infringe on business productivity, personal finances and create potentially catastrophic conditions. Privacy expands the notion of cyber security by addressing what information an entity collects, what is done with that information, to whom that information is shared and how that information is retained. Given the increase in mobile users and access to digital applications, the risk in these areas only increases.
Information protection oversight is diverse and complex. Federal acts governing U.S. information privacy law include many laws that cross industry sectors, such as:
Electronic Communications Privacy Act
Fair Credit Reporting Act
The Federal Trade Commission Act
Freedom of Information Act
Identity Theft and Assumption Deterrence Act
USA PATRIOT Act
The Privacy Act
Health Insurance Portability and Accountability Act
Given the vast regulatory framework and the value of the data you own and house, knowing how to be vigilant in the protection of nonpublic personal information and private data requires knowledge of the law and regulations impacting your industry and the technical tools available to protect your network and assets.
Cyber security legislation will be at the forefront in 2014. Many expect legislation similar to the proposed Cybersecurity Act of 2013 – which proposed amending the National Institute of Standards and Technology Act to permit the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure, to be considered again at the federal level.
One particular industry example is the expanding definition of Critical Cyber Assets in the utility field with approval by the Federal Energy Regulatory Commission (FERC) of Version 5 the Critical Infrastructure Protection (CIP) Reliability Standards, submitted by the North American Electric Reliability Corporation (NERC). The CIP Version 5 Standards adopt new cyber security controls and extend the scope of the systems that are protected by the current CIP Reliability Standards for the industry. Changes in the new standards may provide a road map for future cyber security laws in other highly regulated industries. Changes that have occurred with Version 5 include requiring impact ratings that define safeguards necessary for each asset; removal of "bright-line" criteria; a focus on information protection and configuration and vulnerability assessments; the introduction of new requirements before deployment of cyber assets, including, for example, execution and documentation of a vulnerability assessment; new personnel risk assessments specific to contractors and vendors; and required malicious traffic inspections. This level of scrutiny may be coming to your industry.
The prevalence of regulatory audits to ensure compliance with these various requirements is also increasing dramatically with threats of monetary penalties looming. For example, the utility field is realizing more frequent and thorough NERC-based audits. In previous years, the industry would see small spot checks on a subset of compliance standards, but the recent trend has increased the audit rigor such that the entire gamut of compliance standards are being reviewed. In the health sector, the Office for Civil Rights has expanded its HIPAA Privacy and Security Rule audit pilot program from a small group of covered entities into more thorough and random reviews of covered entities, business associates and even downstream service providers.
On Feb. 12, 2014, NIST released the Framework for Improving Critical Infrastructure Cybersecurity which is designed to assist critical-industry companies in preparation and defense against cyber security attacks. The framework is currently voluntary but is advertised as the next step to improve the cyber security posture of the nation’s critical infrastructure. As is somewhat standard with NIST publications, the framework is a leading candidate for regulatory bodies to use as a guide when developing mandatory standards.
Moreover, in the post-Snowden world with high-profile security breaches like Target’s experience becoming the norm, it is no longer sufficient to create an Information Security Program and Information Governance Program and then assume it is being implemented and maintained appropriately. Internal audits, ongoing security awareness, revision and reaction to changing industry security trends and an overall pulse of the privacy and security landscape for your industry is now required.
With a compliance cyber security and privacy program in place, companies have the tools to help mitigate risk and mechanisms to help identify issues and potential problems within the organization and fix them before unauthorized access is discovered. Know your plan before the hackers do or the auditors mandate that you create one and keep your plan updated to fall in line with trending industry best practices.
If you have any questions or need additional information, please contact Kristina Tridico
at (317) 236-2266 or firstname.lastname@example.org
or Nick Merker
at (312) 726-2504 or email@example.com
or any member of Ice Miller LLP's Government Enforcement, Investigations and Corporate Compliance Group
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.