Larry Kinkaid, cybersecurity consulting manager at BARR Advisory, recently joined Tedrick Housh and Alexandra Bass, attorneys in Lathrop GPM’s privacy and cybersecurity compliance practice, for an in-depth discussion on how legal and security teams can effectively collaborate to navigate the modern risk landscape.
During their talk, the trio explored how legal and security requirements intersect and explained why it’s important for both teams to work together to establish an effective long-term plan for risk management.
As a cybersecurity consultant, Kinkaid said he appreciates a legal perspective when it comes to identifying compliance requirements for an organization. While frameworks like SOC 2, NIST, and ISO 27001 aren’t technically mandated by federal law, “now more often than not, I see these included within contracts,” Kinkaid said.
“While most of this is owned or managed within the shared responsibility of cybersecurity or infosec, there’s still the legal element that I lean very heavily on,” Kinkaid said about navigating customer contracts. “I’m going to throw in suggestions. We’re going to work together.”
Housh pointed out that while security regulations haven’t always kept up with advancements in the threat landscape, laws are changing rapidly at the state and federal levels. For instance, under New York’s financial data security legislation, “if you were not to have multi-factor authentication or if you were to have passwords in text form [rather than encrypting them], that would violate at least the basic requirements of these laws,” Housh said.
For organizations working to determine what requirements they are subject to, Bass notes that “there are some states with privacy laws and some states without.”
“There are currently 20 states with comprehensive consumer privacy laws” that address individual data protection, Bass said. This patchwork approach means that organizations may be required to notify users in some states of data breaches within 30 days, while other states don’t have specific requirements on timing.
“What’s interesting about data privacy regulation in the U.S. is that if you have a data breach and personal information or personal data is released or accessed by someone who shouldn’t, the law with respect to notice that applies…is the one in which the data subject resides,” Housh said.
“If you’re processing sensitive personal information, a number of these [states] will expect you to engage in a privacy impact assessment, so that you go through a process and create a document where you’ve looked at what you do to protect that data and who’s using it,” Housh added. “But for the most part, regulators and legislators have not tried to tread upon the expertise that folks in the cybersecurity group would have.”
Just because an organization isn’t legally required to disclose a breach doesn’t mean transparency isn’t the right approach, however. During their talk, the trio pointed to the widespread IT outages that occurred earlier this year as a result of a faulty CrowdStrike update.
“There are narratives that really focus on one element versus the other, when I think it was kind of a perfect storm,” Kinkaid said of the incident. “It’s never just one thing that failed,” he said. “CrowdStrike was one of the first people to admit that.”
Kinkaid added of CrowdStrike: “There were a couple of missteps I believe, but I think generally they did do a very good job of responding and being transparent about [saying], ‘Hey, this is where we are responsible within this whole mess and here’s what we’re doing about it.”
The bottom line for businesses is that cybersecurity and compliance teams can’t function properly in a vacuum. Support from legal representatives is essential—especially in today’s environment, where the U.S. doesn’t have overarching federal privacy legislation.
“There’s always someone to blame or multiple fingers to be pointed, but what we forget is the ultimate culprit in all of these things are the threat actors,” Housh said. “They’re everywhere and they’re working hard.”
To hear the full conversation, access the webinar now on-demand.
BARR Advisory specializes in helping enterprises build robust, resilient cybersecurity and compliance programs. Contact us now for a free consultation.