Is Your Privacy and Security Program Legally Defensible?
Your business case for privacy and security has multiple dimensions:
Mitigate company regulatory, legal, financial and reputational risks.
Protect customers and employees from financial, medical, and reputation risks associated with identity theft.
Protect company intellectual property and trade secrets and infrastructure and technology from compromise and business disruption.
Enable business development, M&A and investment opportunities.
PRESUMPTION OF A BREACH
Guidance from regulators and experts advises that organizations must presume they will suffer a breach, despite all reasonable efforts. Unfortunately, many compromised organizations learn the hard way that check-the-box compliance does not establish a legally defensible posture. This means that in addition to the direct costs of a breach, you are exposed to additional legal costs, regulatory fines and burdening oversight, such as a 20 year FTC consent order or a 3 year HHS resolution agreement. While legitimate issues, budget and resource impacts cannot alone be used to legally justify inaction or inadequate controls to a regulator or plaintiff lawyer, judge or jury. Organizations need to systematically and continuously identify foreseeable risks and apply reasonable standards of care to be in a legally defensible posture.
THE VALUE PROPOSITION
SoCal Privacy helps public and private organizations establish a lean, sustainable, legally defensible security and privacy program, including appropriate data governance with clear roles and responsibilities. We work with you to develop data flow, inventory, and locations mapping (data maps), and use these to help you identify foreseeable risks. These risks are then assessed, controls evaluated for effectiveness, and, where appropriate, mitigation plans developed to improve control effectiveness. We categorize data into sensitivity levels using a risk management approach, and help you develop scalable strategies, policies and procedures that match the strength of controls to the data sensitivity level, such as an enterprise cloud strategy. As another example, service provider requirements for due diligence, agreement’s reps and warranties, and periodic monitoring will be based on data sensitivity levels (risk).