10 Tips to Help You Focus on Cybersecurity

Cyber liability may have been an exotic notion for Turkish companies but will soon be a very hot topic for many years to come. As the Turkish Data Protection Law has entered into effect as of 7 April 2016, the issue of cybersecurity will soon be a particular importance to the Turkish companies.  

Effective management of a data security incident benefits from adequately addressing risks at all levels in advance.  To this end, based on the Cloud and HIPAA work and what we have learned from our colleagues in the Greenberg Traurig Cybersecurity and Crisis Management group, below are some tips and questions to get conversant on high-level issues (with the normal disclaimer that they are for informational purposes only without legal advice or opinions):

1. Know the Data.  You have to know what data type of data you are processing. Your company has likely saved, among the more obvious, benefits information, background check results, payment data, emails, lists of job applicants, vendors, customers, and other non-public personally identifiable information.  

2. Map the Data.  On what servers and in which data centers does it sit?  How is it routed?   Who is supposed to have access?  Through which systems?  It’s the atypical circumstances that few remember.  For instance, does an auditor transmit information out of the country in violation of local rules?  Or when are vendors brought inside the firewall?  What about a deal discussion and due diligence?

3. Go on a Data Diet.  Be judicious in maintaining online stores of former customers or decades-old records. Aside from reputational damage, a company’s breach liability is in part a function of each individual whose information is improperly disclosed.  Think notice to those impacted, identity restoration and credit monitoring, and other remedies.

4. Own the Privacy Policy.  Simply posting a form isn’t enough.  Treat it as a live document.  Don’t forget that Turkish laws requires you to have explicit consent of the data subject. Companies must contemplate and account for Cloud storage and computing, cross-border transfer, M&A and even a sale of its own assets in bankruptcy.  

5. Train Everyone.  The biggest defense force is the population using a company’s systems day in, day out.  Deputize them to be on the lookout. Maintain sensitivities to old reliable precautions — strong, protected passwords, anti-virus software for home computers used remotely, confidential document handling, and locked work stations and devices. Messages tend to stick when people learn something interesting or even complicated.  Teach about spear-phishing, trojans and the rest of hacker alphabet soup.  Demonstrate manifestations of malware. Quiz about incident escalation practices.  Certify employees and vendors regularly and keep them abreast of changes.

6. Test  Systems.  Compliance with good practices is not static. Just as company technologists should run regular penetration tests to find back doors, it’s critical to administer a cybersecurity regime that tracks overall company efforts.  Such continuing attention better equips a company to overcome weaknesses and enables officers and directors to provide oversight.  It also lays the groundwork to dispatch lawsuits and government investigations handily.

7. Conduct Incident Response Drills.   Your lawyer will always be ready to help you in case of an cybersecurity breach emergency and reach the scene of the crime whenever needed.  But triggering a well-rehearsed sequence is far preferable and save money.  Aside from calling your insurance agent, breach notifications are required under the Data Protection Law.   Have a system for figuring out what happened, how long that process takes, what customers, products or services were impacted, the extent to which it could have been avoided and how to tamp down continuing vulnerabilities. It’s admittedly no fun. Responding to a significant breach is stressful, but is easier to handle well when there is a plan in place that has been tested, incorporates experience and lessons learned from others’ breaches, and has been agreed upon by stakeholders. Taking simple steps now makes it easier and more likely that the organization will respond well when a breach happens.

8. Get Insurance.  It’s less about whether to have coverage for cyber liability, which is usually excluded from general commercial policies.  Rather, what protection is worthwhile?  Incident response coverage is typical.  What about the expense of offering credit monitoring to individuals?  Is corporate information covered?  Business interruption is often overlooked.  Does the policy include events and claims anywhere in the world?  Are there exclusions for rogue employees or failure to abide by policies?  Have likely defense costs and penalties been factored in?  Having said all of this, the best “insurance” is every measure taken aside from purchasing the policy itself!

9. Do it Yourself vs. Due Diligence Hell.  Too many cutting-edge companies finally entertaining suitors or financing end up facing the unpleasant reality that they didn’t exactly have their cybersecurity ducks in a row. Showing that you’re on top of cybersecurity should help preempt overbearing diligence and the most cumbersome reps and warranties that a buyer might try to demand.  Closer examination will cover the ‘all of the above’ category (please see points 1 – 8!).  And have your latest risk assessment ready because the other side is surely bringing its own privacy and security specialists — and may use a forensic expert if warranted.

10. Get the *Real* Checklist.  Of course this isn’t it. The Data Protection Board of Turkey has been established and issued secondary legislation under the Data Protection Law. New legislation will continually be enacted. Part of showing that an organization has not acted negligently with respect to cybersecurity is proving that its conduct is reasonable, which requires coordinating efforts across functions, and reviewing practices and coverage regularly.