Enterprises Overlook Legal Issues in Breach Preparedness

May 1, 2015 – In The News
CSO Online

Scott L. Vernick was quoted in the CSO Online article, “Enterprises Overlook Legal Issues in Breach Preparedness.” Full text can be found in the May 1, 2015, issue, but a synopsis is below.

A recent study by Hanover Research revealed that while approximately 54 percent of companies have conducted an audit of cyber threats, only 33 percent involved legal departments in the audit process.

According to noted privacy attorney Scott Vernick, this presents a problem because IT or security staff typically focus on physical and electric security, not necessarily the legal, compliance or privacy issues of a data breach.

“They won't necessarily be sensitive to or be able to spot the issues that the lawyers are thinking about,” Vernick said.“The ideal is to have everyone working together.”

Vernick said his firm has conducted dozens of privacy audits for companies, which include identifying the data a company collects, stores and transmits as well reviewing a company’s vendor management program to get a sense of any potential third-party impacts on data security.

“Based on the answers to these questions, you can identify legal risk,” he said.

“You may discover that there are a whole lot of people who have access to all employee information that is online or in a database of the company and truth be told, not all those people need access to all that information,” Vernick said. “And that risk can be managed by limiting the number of super users with access to the whole database.”

Processes like these can also help companies respond more effectively to a breach, Vernick said.

“It's hard to respond if you don't know where your data is located,” he said. “You may think, in the initial hours of a breach, that only X amount of data or only a certain type of data was exposed because you didn't know where all the data was stored.”

“It can be stored in all kinds of nooks and crannies that people don't ordinarily think about,” he added.

Vernick said that, in his experience, retail companies tend to have a better grasp on data breach issues because they are used to dealing with compliance requirements, but noted that health care-related companies are catching up.

All companies are vulnerable to breaches, Vernick said. “It's really an issue that applies to everyone.”

Click here to view the full article.

This article was also featured in Tech Page One.