Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

 “The Coming Storm of Litigation and Compliance”: Key Takeaways
You are here: Home \ Cyber Law \  “The Coming Storm of Litigation and Compliance”: Key Takeaways
“The Coming Storm of Litigation and Compliance”: Key Takeaways from Webinar
Posted on Tuesday, December 6th, 2016 by

What You Need to Know About “Reasonable Cybersecurity”

I was privileged to lead Hitachi Systems Security’s webinar titled “The Developing World of Cyber Litigation and Compliance” (you can find the recording here).

The Key Takeaways Our Audience Highlighted:

  • The threat of litigation and increased compliance on organizations that retain their customers PII (Personally Identifiable Information) has never been greater and will undoubtedly intensify.
  • The law requires organization to have “reasonable” cybersecurity defense
  • Reasonableness is based on several factors including data sensitivity, the quantity of the information held by an organization, potential harm to consumers of the data loss, as well as other factors
  • Compliance and reasonable cybersecurity often do not overlap and certainly good compliance does not guarantee good security
  • Reasonable cybersecurity is best assessed by those who are familiar with industry best practices and leading edge cybersecurity assessment tools and techniques.

 

Requirements for “Reasonable Cybersecurity”

The main point to remember when you are assessing the reasonableness of your cybersecurity measures is that you need to have an accurate knowledge of your actual security posture. You need to map your assets, controls, obligations and have an understanding of where the gaps or vulnerabilities may lie.  This implies that technical testing must be conducted, such as:

 

What’s important is that you must be able to explain which choices you made, and why you made them.

In other words, you must be prepared to explain why are your choices reasonable in the context of your organization. And most importantly, you need to anticipate threats in order for your organization to remain within the realm of reasonable cybersecurity.

To do this internally requires a serious commitment both financially and from a staffing perspective. At a minimum, organizations often outsource periodic technical testing; and as they move along the continuum of implementing a “reasonable” cybersecurity program, they often find the cost/benefit of focusing on their business, their strengths as an organization and leaving cybersecurity to the experts is overwhelmingly positive in the long run. This is especially true for small and mid-sized businesses that are particularly vulnerable to data breach litigation and whose customers are likely to abandon the organization is any personal data is exposed in a breach.

 

Data Breach Litigation: Government vs. Private Corporations

Attendees also had interesting questions pertaining to the topic of litigation facts and trends. One of them was whether there are any differences in data breach litigation against government entities as compared to litigation against private corporations. The question is relevant, given that, traditionally, in Canada, if a governmental entity was the defendant, it was not liable in tort for the damage their employees or decisions caused to another, whether intentional or by negligence. Currently, all Canadian provinces and the federal government have rectified this anomaly by passing legislation which categorizes the public body liable in tort just as a normal person is categorized.

 

Is the term ‘reasonable’ subject to change each time a new, more advanced attack occurs?

The short answer to this is ‘yes’.

For instance, the definition of what constitutes a ‘good’ password has evolved with the threat. There was a time where merely having a password, even if it was the name of your pet, was considered reasonable. Today, diligent businessmen use software to generate complicated passwords held in a vault by another complex master password. In cybersecurity, the notion of reasonableness evolves with the knowledge of threats. That’s why it’s always recommended to opt for industry’s best practices as opposed to aim for merely compliance, as there may be a gap in between. Practices evolve more rapidly than standards, which evolve more rapidly than legislation.

No Escape From the Storm

The bottom line is that organizations cannot avoid the responsibility and subsequently the coming storm of litigation and compliance that will go along with collecting and retaining their customer’s credit card numbers, social security, and other PII. In order to protect itself and its customers for that matter, organizations must establish a “reasonable” cybersecurity program or find itself in court or at the mercy of various commissions tasked with monitoring compliance and penalizing companies who don’t comply. The consensus among the experts and what I hope was communicated in our presentation is:

  1. Locate the sensitive data in your environment
  2. Perform assessments to identify vulnerabilities including vulnerability assessments and penetration tests and
  3. Emulate best in class cybersecurity procedures whether you put those in place yourself or hire outside so that you can focus on your business.

 

Access our webinar “The World of Cyber Litigation and Compliance” here:

The World of Cyber Litigation and Compliance

Vanessa Henri
About author:
Vanessa is an academic and legal expert on data protection laws, as well as a certified data protection officer. Currently, Vanessa is Hitachi Systems Security’s Director of Legal and Compliance as well as Data Protection Officer. She oversees the performance of privacy advisory services by Hitachi Systems Security to its clientele, including services such as GDPR Posture Assessments. She advises boards of directors at the macro-strategic level on the implementation of privacy obligations through efficient reporting systems. She has published a variety of data privacy-related materials and has contributed as a speaker to various conferences about data protection laws, such as Code Blue, in Tokyo. Vanessa is a member of the Quebec Bar Association, and holds a master’s in laws from McGill University. She also teaches corporate cybersecurity practices at St Thomas University, in Miami, Florida. She is a certified Data Protection Officer.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now

Subscribe

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?


More