Pub. 5 2014 Issue 3

Address Your Legal Obligations Next, a financial institution must identify and ensure compliance with all applicable laws, regulations, and rules that implicate the information it keeps. Some familiar faces – such as the Gramm- Leach-Bliley Act and the Bank Secrecy Act – are already on the radar of most financial institutions. But don’t forget other sourc- es. Your contracts with vendors create obligations. West Virginia state law requires a business to report when there is an unautho- rized access and acquisition of personal information in certain circumstances. Under the Uniform Commercial Code, banks can be liable for certain fraudulent activity if they don’t maintain “commercially reasonable” security practices. Institutions with international ties may face additional obligations under foreign privacy laws, which tend to be stricter than those in the United States. And don’t forget about self-regulatory programs that you might be required to abide by because of industry standards or your participation in a trade group. There are numerous sources of law that establish minimum standards for your information practices, and you must be familiar with all of them. Reduce Incident Risk Once you understand your system architecture and the relevant law, it’s time to take concrete measures to reduce the risk of a cybersecurity incident. Often this starts with an audit of the pro- cedures currently in place. From there, an institution can update existing information security, privacy, data breach and document retention policies. Your company can also increase the security of its day-to-day practices, which can include restricting data col- lection to only what is needed, controlling access to information, and segregating especially sensitive information. Don’t forget about your vendors during this process, either. You may be able to shift cybersecurity liability through your service contracts, and you may also be able to secure the right to audit your vendors’ security practices to ensure that they value protecting your cus- tomers’ information as much as you do. This is also the time to consider cybersecurity-specific vendors, such as services designed to detect and prevent attacks, as well as insurance policies that cover cybersecurity and data breaches. Finally, no matter how good your contracts and internal policies are, they are meaning- less unless you implement, implement, implement. Make sure your employees understand the importance of the issue, and take measures to ensure that your new policies are being complied with. Plan Ahead Because perfect security is impossible, you must plan for the eventuality that your institution will someday experience a (hopefully minor!) data breach or other cybersecurity incident. If and when that happens, you will not have time to think . . . you must plan ahead. Who will be in charge of the response? How will your legal, human resources, public relations, information technology, and senior management teams work together to limit the damage, meet your legal obligations, and put your customers at ease? When and how will you communicate details of the breach to affected customers, and what services are you prepared to offer to them to help ease their minds and prevent additional damage? Thinking through these issues well in advance of an actual cybersecurity incident will help ensure that your organi- zation is able to respond quickly, and give you the best chance to resolve the issue with as little damage to your bottom line and reputation as possible. Stay Vigilant Finally, financial institutions must remember that this is a quickly developing area of law. Complacence is your enemy. Your institution must keep up-to-date and be prepared to change its practices whenever necessary. Keep in touch with legal counsel about your questions, conduct annual audits of your procedures and their implementation, and make sure everyone in your insti- tution remains vigilant about security issues. These five steps can help your financial institution boil down the complex world of cybersecurity governance into smaller, more manageable tasks. Your institution may not have the resourc- es of JPMorgan, but you are still a conscientious steward of your customers’ assets and personal information. A thoughtful examination, performed when your institution is not in a security crisis, can help ensure that you have taken the steps necessary to protect your institution and your customers against the evolving threats to your business. n Kurt R. Hunt is a member of Dinsmore & Shohl, LLP’s corporate de- partment. He focuses his practice on privacy and public utility issues, particularly in the telecommunications industry. Dinsmore is a full service corporate law firm with more than 500 attor- neys practicing in 16 cities throughout the country. The firm has nearly 50 attorneys in four office locations throughout West Virginia, and is an associate member of the West Virginia Banker’s Association. For more information, contact David Thomas, theOfficeManaging Partner in Morgantown, at (304) 225-1422 or david.thomas@dinsmore.com. www.CBBonline.com • 804.239.0452 Do Business With Someone Who Thinks Like You.