Your Data Security Program Alone Is Not Enough

July 2016

The headlines are out there. You’ve seen them. On one hand, government agencies are ramping up enforcement efforts and dishing out heavier fines. On the other hand, data breaches are occurring at an exponential rate. You think it won’t happen to you but count on being next. It’s not a matter of if, but a matter of when. Having a data security program alone does not make you compliant with data laws, and it won’t be enough when a breach occurs.

In late 2015, PricewaterhouseCoopers' Global State of Information Security Survey 2015 found that security incidents have been increasing at a compounded annual growth rate of 66% since 2009. Further, as large companies have stepped up their protections and bolstered their data security, cybercriminals have begun to target small and medium-size companies (“SMEs”), often times focusing on crimes involving sensitive customer data protected by various federal and state data privacy and security laws.

These security incidents impact both data security and data privacy. When the line between the two concepts is blurred, SMEs can be put in a dangerous situation, in light of increased government scrutiny and enforcement efforts, particularly post-breach. No matter which industry your business is in, there is generally a set of rules governing security and another set of rules governing privacy.

Data security is only one aspect of data privacy. If your security is breached, your privacy controls will be endangered. You can have security without privacy, but you cannot have privacy without security. Companies need to have comprehensive data security and data privacy programs to be truly prepared for security incidents and government agency audits.

What are the major differences between data security and data privacy, and how can you determine if your company is compliant in both areas?

Data Security

Data security (or cyber security) governs the protective standards and security controls that keep data secure and prevents unauthorized access, use and disclosure. A robust data security program employs a combination of security controls to preserve the confidentiality, availability, and integrity of data.

Three types of security controls should be used in a comprehensive data security program:

  • Physical Safeguards - including locks on physical filing cabinets, limited physical access to facilities, environmental precautions, backup centers disaster recovery mechanisms, and building keycards and other access controls
  • Technical Safeguards - such as encryption, anti-virus software, technological access controls (such as fingerprint and iris scan readers), unique user identification and authentication
  • Administrative Safeguards - such as management of workforce risks, employee training, vendor oversight, and corporate policies and procedures that are updated as needed and enforced

Data Privacy

Data privacy governs how data is collected, used and shared. Although both data security and data privacy concern the use, confidentiality, and protection of personal or sensitive information, data privacy also addresses the data subject’s right to control the data, such as rights to notice, access and choice.

  • Notice” is how a company collects personal and sensitive information, what type of information is collected, what it does with the information--particularly whether it’s shared and with whom. Notice is commonly given through a company’s privacy policy or privacy notice.
  • Access” relates to the data subject’s right to access, review, and modify the accuracy and integrity of the data maintained by the company.
  • Choice” refers to the data subject’s control over how their data will be used, including the ability to opt-in and opt-out from various uses.

A well-designed data privacy program transparently handles sensitive data in accordance with the subject’s rights and preferences – allowing for authorized uses of their data while preventing unauthorized disclosures.

Is your company prepared? Here are 10 questions to consider when evaluating your data security readiness and data privacy compliance.

  1. Do you know which of the many federal, state and industry laws and regulations apply to your company, if any? And if you collect data on an international level, are you compliant with applicable foreign laws, particularly the recently expanded European Data Directive?
  2. Are your data privacy and data security policies up-to-date and compliant with new federal and state laws and regulations?
  3. Do you periodically take inventory of your data and map your data flows?
  4. Do you have an incident response plan to ensure business continuity in the event of a data breach or privacy violation?
  5. Do you have a records management policy detailing the various treatments and destruction methods for different types of corporate records?
  6. Are you familiar with your vendors’ data privacy and data security policies, particularly with respect to how they affect your company and your customers?
  7. Have you been conducting periodic, mandatory employee training on matters relating to data security, data privacy and incident response?
  8. Do you have adequate administrative, physical and technical safeguards protecting your data?
  9. Do you have cyber-insurance?
  10. Are you performing regular internal and external audits of your data privacy and data security programs?

For more information on evolving data security and privacy issues or assistance with your firm's policies and procedures, contact:

Ronald J. Levine at + 212 592 1424 or [email protected]
Barry Werbin at + 212 592 1418 or [email protected]
Erica L. Markowitz at + 212 592 5953 or [email protected]

© 2016 Herrick, Feinstein LLP. This alert is provided by Herrick, Feinstein LLP to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.