This article was published in the Association of Corporate Counsel's South Carolina newsletter.

Businesses face immense and ever growing cybersecurity risks. Some businesses focus 100% of their resources on preventing a security incident; defense is the best offense. However, most CISOs agree that long gone are the days of successful prevention of all breaches and there is increasing focus on responding and minimizing the impact when there is a breach. In contrast, businesses relying solely on preventing a breach will be left flat-footed and stumbling if, and when, one occurs. As our coaches always said, “failure to plan is planning to fail.”

Microsoft covers all the bases well. Microsoft recently disclosed a breach[1] but was able to quickly respond to the threat, remediate the incident, and prevent further malicious activity. Sure, most businesses are not Microsoft, which recently pledged to spend over $20 billion over the next five years on cybersecurity efforts,[2] but all businesses can develop a sound information security program to allow their teams to reasonably secure their environment and respond to incidents in a timely fashion.  

An information security program needs to be ready for game day without knowing what day the game will be played. By continuously adjusting for best practices, monitoring industry developments, and identifying vulnerabilities, information security programs can be adjusted to maintain preparedness. An information security program includes an incident response plan as one of its several policies and procedures including technology-focused ones such as patch management, change management, and access controls, and personnel-focused ones such as computer use policies, bring your own device (BYOD) policies, and travel policies.

In the aftermath of an incident, information security program documents are the first thing counterparties and regulators request in increasingly common litigation and regulatory investigations. Producing well-documented, robust policies and procedures helps demonstrate the business’s competence and care. Evidence showing implementation and use underscores this point. Gone are the days of a “check-the-box” exercise of saying the right things and posting the right documents. Companies should work with their legal advisors to both develop the necessary documents and normalize the policies and procedures within their structure. 

This article is intended to highlight the fundamental documents your information security program needs and what those documents entail. Not only will these documents serve as a beacon during a breach, but they will also serve as the foundation of the business’s cybersecurity and data protection program.

Information Security Policy (Info Sec Policy)
The first and most important document all organizations need in an information security program is an Info Sec Policy that sets the foundation and tone for the entire program. This policy should outline the purpose, scope, and principles of the information security program, its governance structure, key roles, and responsibilities, broadly applicable definitions, key points of contact, and a list of all policies, internal and external, maintained under the information security program.

While there are many key points to an information security program, identifying all the documents in the program will have the biggest return on investment. Without one central list of documents, a business will have a haphazard patchwork of stakeholders who are familiar with some, but not all, of the documents. A good test of resiliency is to ask, “if Jane were to retire tomorrow, is there someone who knows where all the documents are like she does?” Even if the answer is yes, other employees should be able to find a central list of documents, not just those who have the same level of knowledge as Jane.

A key to the policy is ensuring roles and responsibilities are clearly defined to effectively delegate tasks allowing for accountability and operationalization of the program.
 
The goal is to allow any person to pick up the document and understand, at a high level, how the entire information security program operates.

Information Classification and Handling Policy
As noted in the name of the policy, there are two separate but interrelated portions: classification and handling. The classification portion of the policy identifies levels of confidentiality and sensitivity of the information. The information includes all data held by the organization whether it is internally developed inventions for which a patent has not yet been filled or personal data collected from consumers to provide services. A typical policy will have three levels of classification for information: (1) confidential, (2) sensitive, and (3) public. Flow charts, questionnaires, and/or examples of what information falls into which category help employees make accurate determinations. Each level comes with its own restrictions, limitations, and the need for increased attentiveness.

As with all policies, but especially with an Information Classification and Handling Policy, enforcement is critical to avoiding mistakes. Enforcement is done best through education and training, detailed steps to avoid ambiguity where possible, and the frequent testing and review of controls. If certain employees are repeatedly failing to adhere to these policies, disciplinary actions are needed in the vein of protecting the personal data customers have entrusted the business with and the business trade secrets employees worked hard to develop.  

Access Control Policy
Your business has information, some of a more sensitive nature, whether it is personally identifiable information or confidential business information. Different sets of employees require access to different sets of information and they may do so in different manners.

The Access Control Policy manages who can access what information, from where they can access it, and when they can do so. A policy that limits access on an individualized basis can better maintain data, information, and physical security from unauthorized access. This is also known as “least privileged access,” which means users of the business’s systems (electronic and physical) should have the least amount of access needed to do their job and nothing more. For example, John in accounting does not need access to the database hosting consumer names, social security numbers, and credit card details. Additionally, the Access Control Policy should address the points of entry to the systems. This may include workplace access, remote access, mobile access, and physical access.  

Access controls not only prevent the unauthorized access to personal data, but they also help ensure trade secrets and other confidential information is limited to a number of need-to-know personnel.

Incident Response Plan
In response to a recently discovered or ongoing breach, the Incident Response Plan should be the first thing your team turns to. The plan outlines roles and responsibilities, identifies the steps in the incident response process and refers to definitions of key legal terms, such as personally identifiable information.

The plan will identify key contacts such as the Chief Information Security Officer, Privacy Officer/Attorney, General Counsel’s Office, and other primary stakeholders (such as Communications and Public Relations teams). Looping in all members early on will ensure that key deadlines and requirements are met. The plan may include guidelines for responding to an incident by identifying key external stakeholders such as law enforcement, the attorney general’s office, and insurance carrier.

Among other priorities, the plan should stress and prioritize documentation of how the incident occurred, what actions were taken, who was notified, and actions taken to prevent incidents like this from occurring again. Documentation allows the response team to provide external stakeholders with a clear understanding of, and message about, the incident. Any wavering or changing of the story, unless new facts come to light, could be seen by external stakeholders as being dishonest rather than just disorganized.

Last, depending on the data your business collects, including definitions of key privacy terms such as personally identifiable information, protected health information, or educational records, an Incident Response Plan will help guide those outside of the General Counsel’s division. Legal terms are often broader than they may sound and conveying that to the response team will allow for the right data to be scoped to meet other relevant legal requirements such as data subject notification.

Business Continuity and Disaster Recovery Policy (BCDR Policy)
The most important policies for getting business operations back up after an incident is of course the BCDR Policy. This is different than the Incident Response Plan, because the Incident Response Plan focuses on addressing and mitigating risks to information systems while the BCDR Policy outlines how the business will continue to function if an event occurs that disrupts operations. Disruptions include cybersecurity attacks and IT equipment failures, but also natural disasters like a fire at your headquarters or a flood where your servers are located.

The BCDR Policy identifies the critical assets and operations of the business, the key personnel who make decisions in a time of crisis across different divisions, proactive strategies to improve resiliency, and a reactive strategy for getting operations up and running. When outlining the reactive strategy, think of this as a timeline of acceptable loss. Within the first four hours of a crisis, the key personnel should be aware of the crisis and put the policy into action. Within twenty-four hours, communications should be addressing internal and external stakeholders, an inventory of damage should be nearing completion, and critical data imported from backups or warm systems are being activated. Before the fifth day, more routine functions are online and equipment/systems are being repaired.

The variables are usually out of the business’s control, but identifying the ideal reactive plan sets expectations so that key personnel are not making decisions on an ad hoc basis.  

Document Retention and Destruction Policy
The Federal Trade Commission, new state privacy laws, and other sector-specific laws are increasingly focused on document retention and destruction, especially regarding personally identifiable information. There is an increasing need, in order to meet legal obligations and follow industry best practices, to have a document retention schedule. The retention schedule details how long documents and/or personal information are held by the business. Businesses may retain information to provide ongoing services or meet legal record-keeping obligations.

However, far too often, businesses retain stale information because they may be able to use it in the future. Document retention schedules reinforce data minimization practices, which can be a business’s best friend. Data minimization decreases the cost of storing terabytes of unused data, and, if a breach occurs, there is less information for a threat actor to obtain.

Document destruction, or as some people call it, “media sanitization,” outlines how the employees of a business destroy certain types of information based on where it is stored. A USB drive cannot just be tossed in the trash and be considered “destroyed”; it must be wiped and cleaned of all data. Additionally, shredding documents with personal information is not sufficient under certain state laws if the information is not rendered unreadable.

The Federal Trade Commission’s enforcement trends highlight the importance of data minimization and retention. In the past few years, the FTC has brought enforcement actions against companies for their failure to delete information “that is no longer necessary”[3] and requiring those companies to establish an information security program that includes policies and procedures “to minimize data collection, storage, and retention, including data deletion or retention policies and procedures.”[4]

These concepts can be split into two separate policies depending on the information collected by the business, the nature of the processing, and the sensitivity of the data. Knowing how long data is stored and how it is discarded is critical when third parties or regulators come knocking because of a security incident.

Conclusion
This article does not, by any means, provide an exhaustive list of policies or areas that a business must consider. For example, an Encryption Policy and Data Classification Policy are two other additional key components of an information security program. The policies included in this article should give you a good foundation if you are tasked with building an information security program. It is a daunting task to complete all of these policies and it may be expensive if you bring in outside counsel, but this exercise will significantly reduce the legal risk facing your business. Additionally, creating a culture of compliance through documentation will never show up on the balance sheet, but it will foster open communication and prevent the business’s name from ending up in the headlines. As noted in the beginning—having the policies is only one step. It is important to integrate these policies into company culture. 

The information security industry world is a game of offense, defense, and strategic moves to stay ahead of the bad guys, but as a lawyer, it does not matter whether you win or lose, as long as it is well-documented.