Answer: YOUR COMPANY!
When your company has a data breach, these are the top 3 questions that you will be required to answer:
- How did the breach happen?
- What steps did your company take before the breach to protect the data and keep it from happening?
- What steps is your company taking after the breach to ensure this does not happen again?
These 3 questions serve as the framework for how you need to think about your company’s data security policies, procedures, and systems. A great response to the second question is to show that your company had — both for itself and third parties with which it does business — adequate security policies, procedures, and systems that are well documented and that they were audited. This is the focus of a blog post I co-authored with Scott Geye that was recently published on Whitley Penn’s In the Black blog.
Here is a brief excerpt:
If a company suffers a data breach that results in the compromise of PII, the company is then required to follow applicable breach notification rules and disclose the breach to, in most cases, certain governmental bodies, agencies, industry groups, and the consumers whose information was compromised. When this happens, the first thing many of those will ask is “how did the breach happen?” and the second thing they will ask is “what steps did the company take before the breach to protect the data and keep this from happening?”
When the company has been proactive and prepared for this, it can minimize the potential enforcement actions that will come against it, if it can show two things: First, that it had strong data security policies and procedures in place. Second, that its data security policies and procedures had been properly audited. The message that these two steps sends is that the company had taken its data security obligations seriously and that it was diligent in following up to ensure that it had done so. Something as simple as this can make a very big difference when others, such as those governmental bodies, agencies, industry groups, or even a jury, look back with the 20/20 vision of hindsight and decide if the company should be penalized because of the data breach.
* * *
The framework for reporting on internal controls for data privacy at service organizations has already been established. You may be familiar with Service Organization Control (“SOC”) reports. SOC reports include both SOC 1, which is intended for reporting on service organization controls over financial reporting, and SOC 2, which are intending for reporting on service organization controls to meet the Trust Services Principles Criteria. The Trust Services Principles Criteria has five defined principles, Security, Availability, Confidentiality, Processing Integrity, and Privacy. Currently, the demand for SOC 2 Privacy reports has been minimal, but the demand will likely increase as more organization seeks to gain assurance over their service organizations’ compliance with the growing number of data privacy regulations.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.