Cybersecurity has been a buzzy topic for the last couple of years. Almost all companies maintain information in electronic form, and when these companies connect to the internet, that electronic information is at risk. Additionally, many industries are subject to legal obligations to keep certain customer and client data private, and security breaches involving that type of information can create real, long-term problems (and possible legal exposure!) for a company.
Good cybersecurity practices to prevent unauthorized or malicious incursions into computer systems and databases are a must these days. Whether dealing with personal information of customers, confidential business information of partners, or the organization’s own proprietary information, the need for cybersecurity applies almost across the board. This need became urgent some years ago for critical infrastructure systems and assets, which led to an Executive Order in 2013 directing the development of standards and best practices by the National Institute of Standards and Technology (NIST), a department of the U.S. Department of Commerce. NIST has since promulgated and made available to government, industry and the public a comprehensive framework for cybersecurity standards and best practices. This framework is known simply as the NIST Cybersecurity Framework.
The Framework was designed to help organizations to better understand, anticipate, manage, and reduce their cybersecurity risks. While originally designed with cybersecurity for critical infrastructure systems and assets in mind, the Cybersecurity Framework is applicable to businesses of all sizes, even startups. The Framework can help a business determine which activities are most important based on the business’ critical operations and service delivery. By determining the priority of various cybersecurity needs, a business is able to minimize its investment in cybersecurity and to obtain maximum impact from the investment it makes.
The Cybersecurity Framework has uses beyond simple computer system security. For example, the Framework is useful in contracting for software and computer services, whether those services are provided by your business to others or purchased by your business for your own or your customers’ use. By providing enumerated standards and a common language, the Framework can help ensure that all parties are on the same page when negotiating cybersecurity features and controls. The Cybersecurity Framework also provides a common language to assist communications among executives, IT professionals and operating units about cybersecurity risk management within your organization. As a business grows, having clear standards and ways to communicate streamlines the adaptation process as cybersecurity needs grow and new cybersecurity challenges are addressed.
At first glance, the Cybersecurity Framework seems unwieldy and excessive for a small business. NIST has anticipated this, and they maintain special programs to assist small businesses with the adoption and deployment of cybersecurity best practices. NIST has recently published a website targeted directly to small businesses. The website can be found at https://www.nist.gov/itl/smallbusinesscyber. Among other things, NIST’s small business website maintains a list of helpful guidance by topic, which can be found at https://www.nist.gov/itl/smallbusinesscyber/guidance-topic#apg. The guide entitled Information Security for Small Business: The Fundamentals , NISTIR 7621 is a great place to start. The NIST Computer Security Resource Center is another key resource to use to access NIST’s cybersecurity and information security-related projects, publications, news and events. https://csrc.nist.gov/. NIST actively coordinates with the SBA (Small Business Administration), and resources are available through that avenue as well.
As an example of the benefits of having at least rudimentary cybersecurity standards in place and having knowledge of cybersecurity best practices even in your company’s earliest days, I point to the non-disclosure agreement (NDA). Many ventures run into NDAs right away, sometimes even before their entities are formally organized. One of the standard clauses in an NDA governs what happens to a party’s confidential information at the end of discussions or upon a termination of the business relationship. Most NDAs provide that the owner of confidential information has the right to request at that time that its information be returned or destroyed. Given the nature of electronic information, it often makes more sense to destroy or delete this type of information than to try to return it, since the return process can create additional copies all along the way.
When deletion or destruction of electronic (and hard copies) is elected, however, the same NDAs fail almost uniformly to prescribe a standard by which adequate deletion/destruction is measured. This is where NIST can step into the breach. NIST has promulgated standards for secure deletion and erasure of information in Special Publication (SP) 800-88 Revision 1: Guidelines for Media Sanitization. These standards can be referenced in the NDA as the standard by which destruction of confidential information will be measured. The practices outlined in SP 800-88 Rev. 1 may also be helpful as employees leave your organization through resignation or termination and your company is faced with having to recover devices or information on employee devices.
Without having a company cybersecurity standard or being aware of cybersecurity best practices, your company may not avail itself of these simple ways to protection its valuable information.
Even for the earliest startups, it is never too late to start thinking about cybersecurity. The NIST Cybersecurity Framework provides a helpful place to start. NIST is currently developing a Privacy Framework. With the General Data Protection Regulation (GDPR) in Europe, California’s upcoming implementation of new privacy regulations under the California Consumer Privacy Act (CCPA) and the various existing requirements for data privacy, guidance on standards and industry best practices are needed, especially for small businesses. We will provide a summary and update once the new Privacy Framework is released.
This blog does not provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.