Image: Jewelers Vigilance Committee (JVC)
In the first part of this two-part series, which appeared in the January 2022 issue of Rapaport Magazine, I discussed some of the basic questions you should be considering with your lawyers, staff and specialized cybersecurity professionals. This builds on those questions and covers a few concrete policies you can implement in your business today to take steps toward compliance with the many cybersecurity and privacy laws that are proliferating worldwide. As mentioned in part one of this series, you should consult with your lawyer and other service providers that specialize in this practice area for tailored advice that suits your business needs. Please use this blog series as a springboard for these important conversations.
1: Manage internal access to data and update access regularly
Part one of this series recommended noting the locations of your digital and non-digital data, particularly sensitive data such as that of employees and customers. Once you map out the locations, you should analyze who has access to this data. For example, does your entire retail or warehouse team share a desktop where they can easily access your customers’ names and addresses? If yes, does the entire team require this level of access to customer data? Do you keep physical employee files in an unlocked drawer or keep digital files on a computer that is not password-protected and shared by other members of your household?
Every business should carefully consider putting policies and controls in place to ensure every type of data is only accessible to necessary users. This will help your business detect and minimize unauthorized data uses and disclosures.
2: Implement transparent supply-chain data policies
Internal housekeeping is one thing, but what about your supply chain’s data use and policies? If you have not already started asking your vendors and business partners what policies they implement to comply with cybersecurity and privacy laws, now is the time to start. After all, if you use any third parties for tasks such as processing orders, sending out marketing materials, or other purposes, you’ll want to know if their houses are in order as well. You also want to ensure you are not sharing more information than you need to with third parties or receiving more information from third parties than is necessary to perform your business functions, as there are strict data use and transfer laws and considerations, and these laws carry harsh penalties for noncompliance.
3: Implement regular employee and non-employee training on cyberattacks and the importance of data protection
The people who work for you are one of your biggest assets…and one of your biggest vulnerabilities. All it takes to expose your company’s data — including that of employees, customers, and trade secrets — is one unsuspecting person falling for a scam or using an open network. To minimize the likelihood of cybercriminal success, your business should require regular training and education. You can start by having everyone on your team read the Jewelers Vigilance Committee (JVC) article on mitigating the likelihood of cyberattacks (jvclegal.org/covid-19-cyber-attacks-on-the-rise-protect-yourself-and-your-business). Then, work with your lawyer on implementing more complex mitigation strategies in your business. Most lawyers specializing in this area will recommend trusted cybersecurity professionals to assist in training your team, risk mitigation, and more.
4: Develop an incident response plan with your lawyer and experts
We can all agree that being proactive is better than being reactive. Don’t wait for a cybersecurity incident to occur to develop a response plan. You will save yourself time, money and reputational harm if you have a plan in place to detect and respond to threats such as ransomware attacks and viruses. You can also spare your company legal censure if you are aware of your legally mandated notification and remediation requirements. As your lawyer will surely tell you, many cybersecurity and privacy laws contain breach notification requirements. This means that if certain information your business holds is impermissibly acquired, accessed, used or disclosed — i.e., breached — then you may have to notify the affected customers, staff, law enforcement, or other third parties. These laws vary by state and country. For a state-by-state breach notification chart, you can check out the International Association of Privacy Professionals’ website at iapp.org/resources/article/state-data-breach-notification-chart.
At the risk of boring you with repetition, I strongly encourage you to work with your lawyer and cybersecurity professionals to develop an incident response plan. The JVC is the jewelry industry’s legal guardian and advocate, so if you are not yet a JVC member, I urge you to join online at jvclegal.org for articles and alerts on data use, cybersecurity and privacy.
Nothing written in this article or series should be interpreted as legal or professional advice. Article from the Rapaport Magazine - May 2022. To subscribe click here.