If you are not already thinking about cybersecurity for your company, you should be. Regardless of your organization’s size or industry, cybercrime is probably the greatest threat to your bottom line today. One of the most important steps a company can take is to regularly train its employees on proper cybersecurity practices and protocols, along with testing its IT systems to understand where its cybersecurity defense weaknesses and vulnerabilities exist.
Businesses need to assess their own cybersecurity risks and openly exchange internal information to effectively address and mitigate an actual breach situation. Yet a company’s internal assessments of its own weaknesses and the holes in its cybersecurity protections can, ironically, actually expose the company to even greater danger in future security breach litigation. A company’s good faith internal report of its cybersecurity weaknesses can potentially serve almost as an admission that it has found its cybersecurity protections for personal and confidential data to be inadequate. Similarly, it is important, in the midst of responding to a cyber breach, that the company’s personnel freely exchange information related to the breach crisis quickly and without undue worries about how the disclosure of that information might look in a future litigation discovery proceeding.
The involvement of the company’s legal counsel in all important aspects of a cybersecurity risk assessment and breach response is crucial because of the protections that involvement can potentially provide the company under the doctrine of attorney-client privilege. The attorney-client privilege protects the future disclosure of confidential communications between attorneys and their clients that relate to a request for legal advice. For the attorney-client privilege to apply, the attorney must be involved and central to the communications. The attorney-client privilege can protect communications relating to a cybersecurity risk investigation, which can be especially important in the context of future litigation arising out of a cyber breach.
As an HR or L&D leader, you are responsible for conducting periodic employee training and monitoring employee activities. As such, it is important to ensure that your organization undertakes cybersecurity training on a regular basis and that the training includes topics such as securing mobile devices; data safeguards for remote employees; password protection; and recognizing common cyber-threats, like social engineering, phishing and ransomware. Cybersecurity training should also include an explanation of the procedures employees need to follow should they suspect a cyber-attack has been attempted or successful.
Design your cybersecurity training program around the belief that everyone has a role to play in maintaining a cyber-secure workplace. Make all training mandatory, and ensure that proof of attendance becomes part of an employee’s personnel file. Doing so will ensure that employee education is current while also creating a record of reasonable training to be used as evidence to buttress any defense to litigation your company may be subjected to in the aftermath of a breach. Maintaining such records may also be a condition of any cyber-insurance policy your company may hold.
Begin data privacy training during the onboarding process by providing all data privacy policies and procedures to new employees. It is important to encourage employees from their first day of employment to understand that timely notice of any possible data breach is crucial and that while all data privacy events must be reported, innocent mistakes happen. While you can discipline employees for breaches of data privacy protocols, it is important to foster an environment where employees feel free to report problems and are not in fear of retribution for such reporting.