The landscape of U.S. data security compliance is fragmented, complicated, and rapidly evolving. The interplay of HIPAA, GLBA, state PII laws, and other data security regimes, along with the emergence of state-level comprehensive consumer privacy laws, requires vigilance and practicality to maintain compliance and manage risk.
We help clients by advising on data security compliance, incident response readiness, and critical security incident response.
Security Compliance & Risk Management
Effective data security cannot simply be delegated to the IT Department, and it requires a focus on both compliance and risk. We work with you to:
- Map applicable data security requirements for your organization;
- Establish compliant data security policies;
- Advise on service provider data security compliance; and
- Enable defensible disposition of unnecessary information, to lessen risk.
Security Incident Response Readiness
It’s a when – not if – world for data breaches. Your IT security team may have an incident response plan in place, but that plan will not prepare you for all that must be handled. Also, only a fraction of data breaches will first cross the radar of your IT InfoSec team.
When handling a data breach, many channels of activity must be coordinated, such as Security, Legal, Forensics, Law Enforcement, Regulators, Insurance Coverage, Public Relations/Communications, Stakeholders, Notifications, and Personnel Management. Effective readiness requires understanding what may be needed in each of these activity channels, and also how to manage them simultaneously to avoid unnecessary delay, cost, and risk.
We help you lay the groundwork in advance for these response activities, so that structure, direction, and resources for dealing with critical data security incidents are ready when needed.
Critical Security Incident Response
When protected information is compromised or lost, we help you determine your legal responsibilities and next steps. We can guide you through the requirements and options for compliant response to a critical security incident:
- Incident investigation, including use of forensics experts;
- Analysis of whether and how notification requirements apply to the incident;
- Notifications, including use of notification service providers;
- Legal holds for the security incident;
- Coordination with law enforcement agencies;
- Collaboration with public relations and crisis communications providers;
- Consideration of liabilities of service providers and other responsible parties; and
- Analysis of cyber liability and incident response insurance coverage.