Readers’ wish list: A closer look at business secrecy and data protection
Following our last update on business secrets, readers of our newsletter asked us to write about the topic in more detail. We’re happy to oblige! Today’s update covers:
- Why you need legal cover
- Data breach? You are directly liable
- Video, images and permissions
- What your people need to know
- Why you need to secure your hardware and software
- Leaks you never thought you had
- Authorities and compliance across industries
- What you can do to prepare
1. Why legal coverage is so important
In the last update we pointed out how being prepared in terms of your policies and contracts can help you contain a situation in the case of a data breach.
Courts and authorities will be able to react a lot faster if you have contractual rules and policies in place. For example, a court can order your current as well as former employees to maintain secrecy even beyond a breach, and this is much easier to do if secrecy is dealt with in employment contracts.
Other precautions include mapping your data assets, getting an up-to-date overview of your IT infrastructure and resources, getting cyber security insurance plans and developing a checklist of what to do in the case of a breach.
Speed is also crucial. Not only will your secrets be passed on otherwise, but you also stand to lose time as well as money with every passing hour. In this situation you are stranded without a response plan, and will face difficulties if there is no procedure in place how to notify the required authorities and partners.
2. In case of a breach, you are directly liable
But a security breach can mean much more than that. It has real-time and real-life consequences. If there is a leak in your business, you are likely violating contractual obligations in your agreements with your own clients and suppliers.
If information gets out that affects not only you, but also your business partners, you are liable for the damage caused. Yes, there is such a thing as force majeure even during a cyber attack—but, mind you, during the attack, not in its aftermath. You won’t be able to hide behind that.
In some cases, managers may be held liable personally as well where their job’s due diligence is found lacking. Management can be sued for negligence by shareholders, and even lawsuits by employees are a possibility where there are issues with the implementation of protective measures.
This means that these are events you need to prepare for, and prepare well. Though the situation is better in Estonia than elsewhere, there are still plenty of businesses that lack a contingency plan in the case of a data breach. Imagine your ship crossing the Gulf of Finland not carrying emergency equipment: no life vest for you. Not a nice thought, is it?
Let’s have a look at potential problems in more detail. Up next is video, but do keep reading for hardware, software, backups and other issues.
3. Surveillance, video and photographs
You wouldn’t want to enable stalkers, would you. Yet that is precisely what plenty of companies still do: they may think about the security of their premises and set up a network of CCTV cameras—but they don’t invest much thinking into the security of their video recordings and storage.
Your video surveillance system only makes sense if you also regulate access to it. No matter whether you hire your own people to run it or an external security company, your contracts with the people you put in charge need to be absolutely waterproof.
Problems in this area can start in a harmless enough way. Let’s say you’ve just moved into a new office, you’re throwing a housewarming party, and you have a photographer present. Or let’s assume you’re showing a group of visitors around your factory floor. They all have their phones out to take pictures.
What exactly you let them photograph matters a great deal. You’re a media company? Keep them away from your leaderboard. Your business paints cars and trucks? Don’t let anyone take snapshots of your clients’ new livery. You have a photographer around the office? Don’t let them near whiteboards, post-it walls and the like.
Virtually every business has some sort of a potential visual liability. Make absolutely sure that the people or businesses you hire understand this, and that they are legally required to stick to your rules.
4. You need to let people know about your precautions
You can’t just film people and record how they move about. This also requires careful legal preparation. You need to be aware and outline where and when you record them, and let them know about it as well.
This requires a carefully set up policy. Groups affected by this are of course your own employees, but also your cleaners, workmen that might be stopping by, and so on. Any and all of the agreements you have with them should set out how confidentiality is handled, and where they are subject to your surveillance measures.
5. Securing your hardware and software
Do you allow your employees to take their laptops and company phones off premises? Likely yes, otherwise what’s the point. But do you have a policy in place how they are to be kept safe?
This can range from the requirement to use two-factor authentication to the use of screen locks and passwords. By allowing your people the use of your equipment elsewhere, you in fact spread yourself quite thinly. From a stolen iPhone to a laptop left unchecked in an open-space office, there are plenty of risks you need to cover.
These risks also extend to the use of the equipment and its software and applications. Do you allow your people to take and send around screenshots? Because you never know what might be visible in the back somewhere. Can they communicate outside email and your approved messenger? If yes, what kind of information can they send this way? And so on.
All of this requires detailed policies in place if you want to keep your own liability within reason.
6. Leaks you never thought you had
A police precinct in a European country that shan’t be named here had won several awards for its cutting-edge IT set-up. It was at the forefront of 21st century law enforcement, and used by the government as a shining example for the country’s promise and use of new technology.
Until an audit discovered not just a leak, but a gaping hole in the precinct’s security.
While the systems in everyday use were kept very safe, the backup, running parallel in the basement, was more than 15 years obsolete and not secured at all.
That’s right: while it would have taken top-shelf hacking talent to break into the first and second floors, every cleaner with access to the precinct’s basement could have comfortably transferred any kind of file onto a flash drive. No video surveillance in the basement either.
The process alone of preparing a policy on these issues will help you revisit and discover potential problems. This, in turn, will make your set-up safer. Which also matters for the next point:
7. Authorities and compliance issues
Beyond everyday business and its risks, there are compliance issues as well. From the EU’s directives to local authorities and professional qualifications, there are plenty of rules to follow.
There are general compliance requirements like those of the EU’s General Data Protection Regulation (GDPR), which require you to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” And there are very industry-specific standards, such as the recently updated Payment Systems Directive (PSD2).
PSD2 for example requires you to manage operational as well as security risks. It imposes strict rules on authentication—and it requires you to report incidents.
And it is that last point that should make you think. On top of security, you also have a reporting obligation in plenty of cases, especially when a cyber attack is involved.
For instance, if your business is based in Estonia, in the case of a cyber attack you are obligated to inform the State Information Systems Authority (RIA) and the Data Protection Inspectorate.
Informing the authorities, system shutdowns and restarts and your contractual requirements to have them up and running again, all that screams for a contingency plan and a strict policy in place—yet the majority of the readers of this update won’t even be aware of the reporting requirement.
Would you be able to handle all of this efficiently and quickly enough?
8. What you can do to get ready
All of this means that these risks are here to stay, and they are serious. There are three main areas you need to cover as soon as possible:
- Take the necessary legal precautions (audits, mapping, contracts,
policies, implementation procedures)
- Appoint people where needed
- Train your staff regularly and make sure they are aware of internal policies