Using Data Security Policy Templates to Maximum Effect

Posted by Mark Greisiger

A Q&A with Ronald Raether of Faruki Ireland and Cox P.L.L.
Having written privacy and security policies and procedures in place is critical for organizations in an era when data breaches are an inevitable reality, which is why data security-focused law firm Faruki Ireland & Cox has created policy templates for clients. These templates are now available in the eRisk Hub® and I spoke to attorney Ronald Raether about how they should be used.

Why is there a need for these templates?
For almost 10 years I have assisted clients in responding to data breaches. A significant part of that response is dealing with regulators investigating any such breach, and almost every regulator I encounter begins our discussion with questions about what policies and procedures my client had in place prior to the breach. These templates come from years of such experience and provide a foundation for any company to both assess their information practices and reduce them to writing.  If you have policies in place, your conversations with regulators, the press and others starts from a more positive position.   

Why did the firm focus on these specific policies when creating the templates?
We’ve emphasized these particular policies because these are the ones that typically matter the most to regulators, and they address specific regulations like HIPAA, GLB and PCI.

How would you recommend eRisk Hub members use the templates?
A mistake organizations make is taking a template or form and simply hanging their names on it without acknowledging their own specific needs. As a consequence you might end up with a policy that’s at odds with the organization’s regular activities. In fact, disregarding the policy or acting out against it can actually increase a company’s exposure. I tell clients, “don’t put anything in writing that doesn’t comport with your company’s culture and practices.”

Do you think every company needs every policy template in the Hub?
Most organizations will need all of these policies, but there are, of course, exceptions. For instance, if the company doesn’t allow its employees to use mobile devices to access the company network—rare, but still possible—then they won’t need the bring your own device policy.

How are these policies important when an event occurs?
As with any disaster response or emergency management plan where time is at a premium and disorder could reign, having a written plan is critical. Indeed, many companies make the mistake of believing that internal sources can respond. This often has disastrous consequences. Data breaches will be chaotic enough. Save yourself time, money and stress by defining your information management program, reducing that program to sound information policies and identifying expert outside resources during a period of calm. Establishing the policies and the discipline to enforce conduct so that it’s consistent with those policies can help investigators track down answers more easily when there’s a record of who was doing what and where. Secondly, it signals to the public—regulators, pundits and privacy advocates—that you’ve met the baseline requirements for security and privacy, which can help negate any early doubts if something should happen.

What are the limitations of policies, and what else do organizations need to have in place for legal protection?
Checking off the box of “having a policy” is of limited value if employees don’t understand how to implement it. Employees in any area of the business that will have contact with sensitive information need to be trained because compliance is a cost center. You also need to conduct regular audits to verify that these rules are used in practice. Having the policy is just the beginning.

In summary…
Mr. Raether has underscored the importance of employing policies that govern data security and privacy. We might also add that having a policy in place—one that is enforced—can mitigate one’s legal liability following a data breach event. Of course, security in and of itself is never one hundred percent effective. On the other hand, having nothing in place can show a lack of care and increase exposure following a breach incident.