Don’t Forget YOUR Data Deserves Protection, Too

I’ll never forget showing a business executive some partially redacted Social Security Numbers we found on his HR manager’s unencrypted desktop computer. He exclaimed, “THAT’S MY SOCIAL SECURITY NUMBER !!!” making it very clear to him why ALL his company’s data needed to be found and protected.

When it comes to cybersecurity and compliance, as a defense contractor it’s easy to get sucked in to focusing on Controlled Unclassified Information (CUI) that is protected by DFARS. Taking such a narrow view of data protection can leave you open to a breach of other sensitive information, including workforce data that includes your own Social Security Number, your salary, and other sensitive information. It makes sense to take a selfish view of data protection along with the laws, regulations, contracts, and insurance contract requirements with which your organization must comply. You also shouldn’t forget general business information that you don’t want shared with competitors or others within your own company.

To develop a comprehensive cybersecurity strategy, you first must know what requirements you face. Then you must find and protect ALL your data.

As a defense contractor, you must comply with DFARS, the defense contract rule that protects CUI. The new DFARS interim rule requires you to post a self-assessment score of your implementation of the National Institute of Standards and Technology (NIST) SP 800-171 cybersecurity controls to get new contracts and renewals.

Don’t make the mistake of only protecting CUI and ignoring your other data.

You must protect all your data.

OTHER FEDERAL LAWS

DFARS doesn’t protect employee information. If you are collecting information about your workforce members’ health, including injuries, COVID testing, diagnoses, quarantines, and vaccinations, those records are protected under the American Disability Act (ADA). This information must be kept confidential, including storing medical information separately from an employee’s general HR file.

STATE LAWS

Every state has a data breach law that protects Social Security Numbers and Driver’s License numbers. Many states also protect medical information, health plan ID’s, and biometrics.

You must need to know where all this data hides, including Downloads folders, Desktop folder, and Recycle Bins on local desktops and laptops.

State laws have breach notification requirements that can be as short as 15 days after discovering an incident. State laws exempt encrypted data from breach notification requirements.

CONTRACTUAL OBLIGATIONS

I recently worked with a client that had signed over 30 contracts that included cybersecurity and incident notification requirements. Their IT department was shocked when we showed them what requirements had been filed away and not shared with them.

Prime contractors; federal, state, and local government agencies; clients/customers, and business partners now often include cyber requirements in their contracts. Don’t sign an agreement until you have reviewed the cyber and compliance requirements with your attorney and a cybersecurity expert, because it may include unreasonable processes and incident notification obligations. Don’t sign an agreement and just file it away. Be sure to share your contractual obligations with the departments that must follow them.

INDUSTRY REQUIREMENTS

Separate from laws and regulations, if you accept credit cards you must comply with PCI-DSS. Depending on your business or your role, for example, an HR Director, you may also have ethical confidentiality requirements tied to your industry or certification.

CYBER INSURANCE POLICY REQUIREMENTS

If you have a cyber theft or cyber liability insurance policy, the answers you gave on your application could cause your insurance company to refuse to pay millions of dollars in claims. A California company paid $ 9.1 million out-of-pocket when their $ 10 million cyber insurance policy wouldn’t pay off.

Answering ‘yes’ to “Do you encrypt your protected data?” means that ALL your protected data, not just the CUI you are thinking about, is ALWAYS encrypted. That includes your HR info. It also means voice messages on your computerized Voice over Internet Protocol (VoIP) phone service. And your emails. EVERYTHING.

If you file a claim with your insurance company and they find ANY protected data that isn’t encrypted, they may refuse to pay your claim.

OTHER SENSITIVE DATA

You probably care a lot about data that isn’t protected by compliance requirements.

Do you want the public, everyone in your company, and your competitors to see your payroll, tax returns, job offer letters, contracts, customer lists, plans, merger and acquisition information, etc.?

What could the financial impact be if this information was in the wrong hands?

What would your life be like if your Social Security Number was used to steal your identity?

What would be the cost if you couldn’t recover your critical business data after a ransomware attack or other disaster?

Including all your data in your cybersecurity program is the smart way to protect your organization… and yourself.