Cyber Security and Data Privacy & Protection: Q&A with Conference Co-Chair Jeanette Fitzgerald

844L16_header (1) Jeanette Fitzgerald, EVP and General Counsel, Epsilon, will be co-chairing ACI’s 18th Advanced Global, Legal and Compliance Forum on Cyber Security & Data Privacy and Protection, January 28-29, 2016 at the Park Hyatt Washington in Washington, D.C. In anticipation of the conference, check out our recent Q&A with Jeanette. How will the Wyndham decision affect the way “due diligence” is defined, with reference to the protection of digital security? Digital security is an inviolable foundation on which every company involved with data must be built.  The Wyndham decision has reinforced this notion, prompting some businesses to re-evaluate their information security practices, safeguards, and continuous monitoring processes.  While companies may interpret “due diligence” differently, as a result of the decision, businesses should take into consideration the FTC’s interpretation of cyber security practices per Section 5 of the FTC Act, as well as take into consideration FTC Consent Orders regarding data breaches.  Both should be utilized in the modeling of cyber security practices.  What questions should you be asking third party vendors when you share data with them?                Any vendor must share – and define through their processes – a commitment to digital security.  Vendor security risk assessment is vital prior to sharing data with any organization.  There are five key areas that we look at when evaluating a vendor’s security:  What personal information is collected; how is that information protected; what third-party relationships does the vendor hold and how is data handled and protected within that relationship, what are the vendor’s privacy and security policies, procedures, and practices; and what prior incidents have taken place within the vendor’s environment.  Additionally, third-party vendors must comply with any regulatory or contractual obligations with which your company is required to comply.  Appropriate reviews and approvals should take place within IT Security, Risk Management, Legal and Accounts Payable areas of the organization. Who should be on the digital forensic and data breach response team? A data breach response team must be inclusive of many different areas of the company, although in a very controlled manner.  Though digital forensics and the IT Security team are the initial investigatory part of a data breach response team – along with external law enforcement officials – it is vital to include members of the executive, legal, public relations, and human resources department, as well.  All should be included at the beginning of the investigation in order to ensure that an appropriate response is provided and in a timely fashion.  Additionally, it is important to include business team members that might have the need to respond to customer inquiries, as it is important to ensure that all team members and corporate representatives are providing the same information externally. 844L16_header (1)           When: Thursday, January 28th to Friday, January 29th Where: Park Hyatt Washington – Washington D.C. Learn More:   Keep the discussion going and join us on Linkedin: ACI: Financial Services – Legal, Regulatory and Compliance Professionals Follow Us on Twitter: @ACILegal   To join the conversation use #ACICyber