To any good lawyer, the answer is ‘both’ are important. However, most in-house counsel know the answer is which receives the limited available budget. Compliance budgets usually follow the greatest risks for the company. Therefore, in Europe, where the EU’s General Data Protection Regulation is the scariest new compliance issue, it stands to reason that data privacy will take a larger portion of the budget than cybersecurity. However, in the US, where the penalties for poor cybersecurity can be huge (from governmental penalties, to class action and shareholder derivative lawsuits), I believe it is generally the opposite.
What about much of the rest of the world, where the penalties for loss of personal data or for a cyber breach are insubstantial to non-existent? In many such places, I have seen a much lower budget allotment to either issue. Indeed, across Asia, some of the very largest companies do not even have an Information Security Officer, or someone else designated as responsible for keeping data, personal or otherwise, protected. Where there is little investment, it follows that there is little awareness of what is actually happening to the data that a company holds.
This is particularly the case where hackers use Advanced Persistent Threats, which are data breaches designed to penetrate and hide within a corporate network, siphoning off information over a long period. Cybersecurity expert Mandiant released a report in 2015 indicating the global median time from when a hacker has entered a network and the time when the company is aware of the hack, is 205 days. In Asia, this time between hack and awareness of the hack occurring is 520 days. With this state of affairs, some technologically advanced companies in Asia are particularly at risk for losing their hi-tech advantage or trade secrets by hackers (or governments) that want to catch up quickly.
I often encourage companies to think about the issue from a broader trade secret perspective. Think of all the data you want to protect (from employee lists to marketing plans, from intellectual property to acquisition strategy, from customer personal data to big data analysis), and then take steps to protect it. We all may not be in jurisdictions that equally punish the loss of personal data, but all companies want to protect their competitive advantage from their competitors. It is especially important to do this analysis in advance, as most countries require companies to show they took reasonable steps to protect their trade secrets in order to be able to make a claim under the law. In my experience, corporate secrets are items that company management will likely be willing to fund to protect, if they are aware that they are at risk.
No matter what drives the decision to fund, the steps to any good data protection or cybersecurity program are essentially the same:
- Map out what data you have or intend to collect;
- Determine what laws apply to that data;
- Identify what security you have in place to protect it;
- Prepare a gap analysis of what needs to be addressed;
- Take steps to bridge those gaps;
- Test to ensure compliance.
It is especially important to identify what laws apply to the data you have, as increasingly, data privacy and cybersecurity laws are going cross-borders to govern what you do with your data wherever it may sit. This fundamental shift makes a more-inclusive global legal analysis essential. The law that apply in the EU, the US, China and Japan all have different standards and important points to follow. For example, the definition of what is a data breach and when you have to notify individuals and/or the authorities varies significantly. In the US, a notifiable data breach often requires acquisition of the data (i.e. proof of removal). In the EU, mere access to the data constitutes a notifiable breach within 72 hours of awareness of the breach, in most instances. In China, simply discovering security flaws and vulnerabilities in your network products and services requires notification to the government and network users. In Japan, you are only required to ‘”make an effort” to notify in the event of a breach. Many other countries have in effect, or are now passing, laws governing data breach notifications.
Companies need to plan now for what laws would affect them in the event of a data breach. Data breach issues can be quite traumatic for companies to deal with, in and of themselves. If you are also trying to sort through, for the first time, what laws apply to the data involved, it is easy to make costly and fineable mistakes. You can include a synopsis of these laws in your Incident Response Plan, which is your guide as to how to handle data breach situations.
Once an incident response plan is in place, it is important for organizations to undertake data breach drills (aka tabletop exercises) in order to properly prepare. I had an experience in my corporate days, where a data breach occurred and we quickly assembled our Incident Response Team. The IT manager first proudly announced that the servers were up and running after only a few hours of down time. I asked for the servers so that we could study them for what happened. The IT manager indicated that they had wiped the servers in order to load the data more quickly. His solution was great from an IT perspective, but not so great from an evidentiary perspective. Therefore, it is important to test your Incident Response Plan in order to see if you are truly ready.
In the end, does it really matter which, data privacy or cybersecurity, is most important? Aren’t data privacy and cybersecurity just two different sides of the same coin: Poor data privacy leads to poor cybersecurity, and vice versa? The answer is yes. To prevent this, companies must start the process of identifying and protecting your data, whether it be personal information or corporate secrets. Then, continue down that path, expanding the process until you have considered all of the risks that could negatively affect your company.