Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

What Does It Really Take to Be Data Security Compliant?

Written by: Cameron G. Shilling

Published in NH Bar News (12/20/2016)

Most businesses know (or should know by now) that they must comply with state and federal data security laws and regulations. But business leaders often are unaware of what it really takes to do so. That is understandable. Data security seems complex, and technology consultants and vendors rarely try to demystify it for their customers.

Data security is just like any other legal or business risk management issue. The risk is managed through a process of collaboration between business leaders, information technology professionals, and qualified legal counsel. The process involves the following steps:

  1. Perform a risk assessment of the business’ physical, technological and administrative systems using the requirements and standards of applicable laws.
  2. Generate a report that identifies areas of non-compliance and risk, including a prioritization and chronological plan for remediation.
  3. Remediate vulnerabilities that can feasibly and financially be fixed within a reasonable amount of time.
  4. Create a written data security plan tailored to the procedures of the business.
  5. Train employees about data security compliance generally and the business’ procedures under the written data security plan.
  6. Perform periodic reassessments, including sub-assessments if new or different physical, technological or administrative systems are adopted.

 

Step 1 – the risk assessment – involves identifying the information a business has that is legally protected, for example, under state data security laws or under federal laws or regulations such as HIPAA, the Gramm-Leach-Bliley Act, or SEC or FCC regulations. The information is then mapped through its lifecycle (e.g., from receipt and creation, through use and transmission, to disposal and destruction), and areas of non-compliance or risk are identified using the legal requirements and standards of applicable laws and regulations. 

This is a highly collaborative process between the leaders of the business, competent IT professionals (inside or outside the business, or both), and legal counsel experienced with this area of the law and qualified to understand technological and physical security matters.

Step 2 – the report – flows naturally from the areas of non-compliance and risk identified in the assessment. Priority is assigned to items that are relatively easy to remedy, do not comply with applicable law or entail significant risk, and a timeline is created for addressing the issues.

Step 3 – the remediation – is the process of identifying and implementing solutions to the vulnerabilities identified during the assessment and in the report. Remediating vulnerabilities often depends on the availability of technological or physical systems, and budgetary constraints of the business. It is common for a business to need 12-18 months to properly address all of the vulnerabilities identified in an initial data security risk assessment.

Step 4 – the written plan – is a policy created from the information gathered during the risk assessment and the remedies implemented or anticipated for the vulnerabilities. A plan created in the absence of a comprehensive risk assessment is a pure shot in the dark, and does not comply with state or federal law or accepted practice. No two data security plans are the same because no two businesses are the same, and there is no competent boilerplate form.

Step 5 – the training – is an integral component of data security compliance. Employees handle protected data on a daily basis, and thus need to be taught about data security generally as well as the business’ specific procedures as set out in the written plan. Likewise, properly trained employees know better how to avoid breaches, how to recognize an actual or potential breach, and how to properly respond in such circumstances.

Step 6 – the reassessment – is required and natural for any business committed to data security. Reassessments are used to address vulnerabilities from new or different technology, physical or administrative systems or external threats. Also, as a business that becomes data security aware, it frequently identifies previously unknown vulnerabilities and adopts remedies that enhance security beyond the measures implemented after the initial risk assessment and report.

Data security is not something that can or should be overlooked simply because a business does not understand how to become compliant. Just like any other risk management issue, security is accomplished through an established process of business leaders, IT professionals, and qualified counsel working collaboratively to implement an established process under applicable law. 

Cameron Shilling is chair of the Privacy and Data Security Group for McLane Middleton. He regularly assesses client risk, implements data security policies, trains staff and investigates and remediates security breaches. He can be reached at (603) 628-1351 or [email protected].

 

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.