RumbergerKirk helps clients at the intersection of technology and the law. Our best practice is to form a relationship with a client before an incident arises, because prevention is much better than trying to remedy an incident. We review clients’ documents and procedures to help them comply with regulatory guidance and to develop best practices and handle cybersecurity data breach incidents.
Organizations want to consider an organized and well laid out CP, CIRP, and CRA that range from the entire cyber system to drilling down into who should be called and when those contacts should be made when an adverse data event occurs. There are innumerable considerations that go into an organization’s unique CP, CIRP, and CRA. Our team offers the perspective needed from a third party legal standpoint to assist in development of policies and plans that are appropriate to the organization.
Another area of concern is relationships with vendors. Vendors often hold data and have access to a company’s network. It is important to ensure vendor agreements require them to meet certain cybersecurity standards. We offer a helpful eye to organizations for review of vendor agreements and how they could potentially involve data security together with suggestions for vendor agreements.
We assist clients in review of internal procedures on data storage and data access. Employees and vendors sometimes may be granted access to data that is unnecessary to job performance. In this vein, a company should also consider procedures that are designed to marginalize the internal and external impact created by “hacktivists.” We partner with clients to evaluate data access and make suggestions to protect data and minimize our clients’ risk.
Countless data protection surveys and studies lead to the same conclusion: the greatest threat to the data of an organization comes from inside an organization. We assist clients in reviewing HR processes and gateway procedures to protect the company. A company may unwittingly employ a disgruntled employee, a hacktivist, or someone who is looking to move to a competitor along with data that is the property of the organization. Most commonly, however, employees are not properly trained concerning information awareness. In addition to reviewing CIRP’s and internal processes, we also provide training to employees whether in the C-suite, IT, and at large.
We help clients understand how executives, employees, and the organization as a whole manage their personal or corporate data with respect to the public. An organization should consider its HR policies with regard to employees’ social media habits. There are important requirements a company can have towards employees’ sharing of information. Our team can offer valuable training insights with regard to privacy settings for its employees and executives.
Today, IT has oversight for the data that is the lifeblood of an organization. We work with IT professionals to understand an organization’s configurations for data storage, back-ups, authentication, etc. Our team also works with organizations and their IT professionals to help evaluate the legal impact of options under consideration when making IT decisions.
Cyber security reviews, incident responses, and table top exercises have become part of the lexicon of companies in today’s climate. This is particularly so for publicly traded companies where an outside attorney can offer the third party perspective on the soundness of data security and technology practices from the legal perspective.