Last week's Global Privacy Summit presented by the International Association of Privacy Professionals provided attendees with many important insights and practical tips for protecting the privacy and security of information. In case you missed it, here are some of the highlights:

  • "Attorney-directed" data incident response is a best practice in order to preserve the confidentiality of information developed during the response investigation. (Tim Ryan, Managing Director, Cyber Security and Investigations, Kroll). You must anticipate litigation for every data incident. Class action suits by shareholders, customers, business partners and employees are beginning to get traction in the courts. In fact, litigation is becoming the number one consequence of data incidents. Non-attorney consultants cannot shield findings from discovery by the class action plaintiff's lawyers.
  • "Buyer beware" when purchasing cyber-insurance. (Mark Greisiger, President, NetDiligence). The type and variety of cyber-insurance policies has increased dramatically in the past few years. These policies vary widely in terms of policy limits, the amount of financial risk retained by the insured, the types of data incidents that are covered, and the types of data incident costs that are covered. It is important that those shopping for cyber-insurance carefully consider what data breach risks they are trying to insure and which policies best address those risks. Do not hesitate to engage qualified consultants to advise your policy choices.
  • "Data compromise is inevitable". (Malcolm Harkins, Chief Security and Privacy Officer, Intel). There are six core principles that drive this: information wants to be freed; code wants to be wrong; services want to be on; users want to click; even robust security features can be used for harm, and; the efficacy of security controls deteriorates over time so static controls aid the attacker.
  • Employees account for the majority of data breaches. While some of these are "malicious" attacks committed by disgruntled employees, most are simply honest mistakes. It is important to understand that simply building more security walls to block outside threats will not prevent many of these "insider" breaches.
  • Privacy touches all aspects of your business. This should be no surprise to readers of our blog, however. Since our blog was founded five years ago, we've suggested that issues of privacy and data security will increasingly touch all businesses, in all industries, as technological innovation continues to dramatically change the ways that we do business.
  • Your Incident Response Team Must Be In Place Before An Incident Occurs. Then, when an incident occurs, you will be able to quickly respond on a substantive basis, rather than wasting time to assemble your team. Your team must include an interdisciplinary team including high-level management, information technology, relevant vendors, human relations, public relations / crisis management, and legal representatives. Ideally, you would include outside counsel from the onset, as many jurisdictions do not accord in-house counsel with the same level of privilege protections as they do outside counsel.
  • Have good policies and procedures, that are regularly followed. As with all areas of the law, it is important to have good policies and procedures in place, and to regularly follow these procedures. If you structure your organization with the goal of protecting your information (and your employees' privacy) you will be better equipped to avoid a data breach or privacy violation, and you will be more protected in the case of an eventual (inevitable) breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.