In light of the recent Equifax breach disaster, you and your staff are no doubt inundated with new offers, renewed plans, and emboldened claims to “secure your data”…yeah right. (Just like they secured Equifax?) I constantly hear security products advertised on the radio or in various places on the web. Here’s what you really need to know to successfully secure your data.
Understand that a lot of what a sales person may be telling you or that is “claimed” in the brochure (yes, a website is just an online brochure) is likely to be“disclaimed” by the contract. For software and cloud-based applications, it’s usually called a ‘license’ or ‘terms of service agreement’ and by clicking “I agree”, you have, by and large, agreed to all terms and conditions, so the simple solution is just to ask to read the disclaimers first. If you cannot get a copy of the disclaimers before the sales presentation, you are probably not getting a good product.
- Question the use of the term “customizable”.
‘By whom?’ should be the focus of your inquiry. Generally, a software or web application will have limitations on how much they will customize and they will generally “disclaim” (there’s that word again) what they do. Many make it sound like a great idea for you to do it, but have you read the thousands of pages of security regulations that may be required of your business? Are you getting CERT alerts? Do you even know what CERT is? It’s the US-Computer Emergency Readiness Team where you can learn about cyber-security and the latest system threats and weaknesses. For the most part, your security program must be customized to your environment, but the customization should be performed by a professional who stands behind their work. Absolute guarantees are tough to get and probably shouldn’t be expected, but there should be something of value to back up the expertise.
- Know your rights if you are dissatisfied.
Spoken like a lawyer, I know, but considering what happens if you are not happy with the product or service can tell you a lot about what you are about to purchase. Is there a refund offer, a fee to cancel, or a multiphase termination procedure? Consider whether you can call a live local representative with questions or if you have to communicate with a robot at the end of a seemingly endless telephone tree. Find out how it is integrated and the mechanism for disengaging, if necessary.
- Research, Research, Research.
Do some homework or get some assistance before you purchase any security program. Know how the application actually makes your data more secure and be very wary of the cheapest solutions. Often times, the easiest thing to do is copy the regulations and provide access to them, but that is no different than printing off the entire Federal Register and claiming it’s your security manual. Be mindful that data security mechanisms are going to continue to evolve, so keep your consultant’s number handy. Most regulations require periodic security audits or reviews and, if you care about securing your data, you should too.
In order to make sure your company has a strategic plan in place for data protection, it is best to consult with a lawyer to find the best solution.
Julie-Karel (JK) Elkin focuses on IT and Health Data, Litigation (Business and Commercial, Insurance Coverage and Bad Faith) and Products Liability law in the Nashville office.
This blog contains general information about legal matters. The information is not advice, and should not be treated as such. Communication of information by, in, to or through this blog and your receipt or use of it: (1) is not provided in the course of and does not create or constitute an attorney-client relationship; (2) is not intended to convey or constitute legal advice; and (3) is not a substitute for obtaining legal advice from a qualified attorney.