Why should attorneys be concerned about cybersecurity?

In most organizations, especially in local government, responsibility for cybersecurity has traditionally been turned over to Information Technology and it is entirely managed by an IT Director, CIO, or contractors and managed service providers. Typically, these IT-centric cyber and information security programs are ad hoc rather than comprehensive. This is exactly the wrong approach and it is not a practice described in any information security standard or framework. Attorneys have a major role to play in cybersecurity.

According to a 2015 Ponemon Institute study, only 13 percent of local governments have mature cybersecurity programs. Attorneys can and should help solve this enormous problem by providing proactive guidance and leadership. Excellent cybersecurity programs are built on policy and procedure rather than on technology, so attorneys are a natural fit to participate in cybersecurity programs.



Major information breaches occur daily and only a small percentage of these make headline news. The most infamous of these include Equifax, Marriott, Yahoo, Target, and Anthem. In many local governments and small to medium enterprises, the cybersecurity programs are not sufficiently robust to even identify whether a breach has even occurred.

If your organization has a breach or other catastrophic information disaster, you'll be deeply involved in the aftermath and cleanup. It's what attorneys do. However, if you get involved before the disaster, you can probably prevent the disaster from occurring in the first place.

Local government organizations bear enormous information risk but public sector boards and managers are rarely aware of just how much risk they are facing. County governments typically have enormous quantities of PHI (Protected Health Information) and PII (Personally Identifiable Information). They rarely have programs in place that are sufficient to secure this statutorily protected information and most of these organizations are not in compliance with HIPAA and other regulations.

It is easy to identify whether your organization has a standards-based cybersecurity program.

4 indications that your organization doesn't have a cybersecurity program

Risk assessment report

Can you lay your hands on a recent risk assessment? Every information security standard, framework, or regulation requires formal, periodic risk assessments. If you don't have a risk assessment, you simply don't have a rigorous cybersecurity program.

Risk management program and plan

Your periodic risk assessment should be followed by documented processes and procedures to remediate the deficiencies discovered in the risk assessment. These activities should be formally reported to senior management and the governing body.



Top management and board oversight of information and cybersecurity

If senior managers, executives, and your governing board are not involved in oversight of your cybersecurity program, you don't have a rigorous program. The board should ask questions and it might be a good idea to have a board-level committee overseeing your cyber and information security programs. NACD, the National Association of Corporate Directors has an excellent document that defines questions boards should be asking about cybersecurity.

Comprehensive information security policy

A comprehensive information security policy for a complex organization such as a local government should be substantial - 25 pages or more. The HIPAA Security Rule requires a minimum of 40 policies and HIPAA actually sets a pretty low bar.

Standards and Frameworks

There is no reason for the existence of ad hoc information security programs, especially in the public sector. There are several generally accepted and widely available frameworks for building a comprehensive information security program. These are either free or downright cheap and they describe exactly how to build an information security program in any organization. A comprehensive approach is not expensive and there are generally no capital expenses involved.

ISO/IEC 27001

This is the international standard for building an information security program. It is available from the ANSI web store for $138. It is roughly 30 pages and describes exactly how to build a solid program.

NIST Framework for Improving Critical Infrastructure Cybersecurity

This framework was created by NIST (The National Institute of Standards and Technology) and it is a risk-based approach to developing a cybersecurity program. It is available for free. Links are in the companion document to this page -- see the download link at the bottom of this page.



HIPAA Security Rule

The HIPAA Security Rule is a federal regulation (45 CFR parts 160, 162, 164), but it describes a framework for building an information security program for an organization that maintains PHI.

Other regulations, guidelines, and policies

There are many state and federal regulations that govern information security for municipal government.

CJIS (Criminal Justice Information Services) has a security policy for law enforcement agencies using its information products. Depending on what state you are in, your State Archives, comptroller, attorney general, or other agencies may have additional requirements for public sector organizations to follow. As the landscape of information security is constantly becoming more complex, public and private sector organizations are often failing to respond to new regulations and threats.

Building or improving your program

Municipal governments typically have all the resources they need already on staff to build excellent cyber and information security programs. One of the first steps a local government should take is to establish an Information Governance committee to oversee the program and policy development. The composition of a good committee might include representation from the following departments:

Governing Board

Legal

Human Resources

Executive Management

Records Management

Information Technology

Security

Corporate Compliance

Staff members who actually work with protected information

Department managers who manage information (Public Health, Mental Health, Social Services, County Recorder, etc.)

I don't like to see these committees too top-heavy with senior management. Most top-down initiatives, at least in my experience, fail. A good information security program needs top-down, bottom-up, and inside-out management.

Resources for attorneys

I have created a resource document with links to all the information required to build a standards-based cybersecurity program - click the red button at the bottom of the page to download the PDF. Good luck with your program and feel free to get in touch if we can provide further assistance. You might also want to watch my 28-minute video, "Cybersecurity, cyber risk, and liability in local government."

