Create a Written Information Security Program, Please

If you’re running a tech company, you almost certainly have to implement “reasonable security measures." The best way to show that you've done that is by creating a written information security program (WISP).

tl;dr

  • If you're running a B2C company, you need to implement "reasonable" security measures so you can comply with the FTC, GDPR, and other consumer-protection regulations.
  • If you're running a B2B company, you need to do the same to comply with your customer agreements.
  • The best way to prove you've implemented "reasonable" security is to draft a written information security program (WISP).
  • Your WISP will specify, among other things, the security risks you're facing, the preventive measures you're taking, who's responsible for them, and what you'll do in the event of a breach.

Disclaimer: What follows isn't legal advice; it's general legal information. Consult an attorney to match legal requirements to your particular situation.

Whatever kind of company you're running, you need to implement "reasonable security measures."

Section 5 of the FTC Act, Article 32 of the GDPR, the California Privacy Protection Act, various state student privacy protection statutes, and your end-user/customer agreements (e.g., "we will implement no less than industry-standard and reasonable security measures to protect . . . .") all require you to implement reasonable security measures.

You can use a WISP to show you've done that.

How do you prove reasonableness? A well-crafted, complete WISP does the job nicely. It shows that you've considered the security risks you're facing, implemented protective measures, and prioritized your mitigation efforts.

OK fine, but how important is a WISP?

Your beautifully-crafted WISP can save you a lot of money.

Consider Target. After hackers stole 40 million Target customers’ credit cards, the FTC investigated and . . . then . . . did nothing. No complaint, no press release, nothing. While we don’t know why the FTC chose to back off, the best guess is that Target had well-documented security policies and a well-staffed, highly-competent security organization. As a result, Target satisfied its obligations to provide commercially reasonable security measures even though it was epically pwned.

Compare that with Twitter, the newest poster-child of poor security practices (don't worry Twitter, some other company will come along and mess up worse than you did). In 2009, Twitter had an easily-pwnable admin console that, predictably, got pwned, and the FTC brought the hammer down in the form of a consent decree. Now, in the 2020 version of the Twitter hack, the FTC is likely going to impose a multi-million-dollar fine.

Added bonus: Some state statutes specifically require a WISP.

Furthermore, some states specifically require a WISP and have sued breached companies—like Equifax for a $18M settlement—for failing to have one. Note: this requirement only applies if your company stores information that could be used to access a financial account (like name + credit card number or name + state ID).

Added bonus (part two): A WISP also makes B2B contracting easier.

A WISP can assist your sales and contracting efforts. For example:

  • Customer security diligence: You can provide it, under NDA, to prospective customers who are performing security diligence.
  • GDPR-compliant Standard Contractual Clauses: You can excerpt it to fill in the part of the clauses which requires you to specify your "technical and organisational security measures."

Drafting a WISP

Here are the elements of a WISP:

  1. A risk assessment that lists assets, threats, consequences, and security measures (there are many examples and systems for doing this).
  2. A breach response plan.
  3. A third-party vendor risk assessment that is integrated into your contracting process. At the very least, your vendors should rep that their vendor-assessment statements are true. At the very best, you should thoughtfully work vendors' answers into the commercial agreement.
  4. A list of accountable employees.
  5. Regular auditing and testing.
  6. Employee training.

If you don't know where to start, the IAPP has a model WISP.

If you want to know more about basic security measures you should be taking (and, to be clear, the measures you should be taking is within the expertise of your engineering and IT team), this Latacora blog post is great.

Given that you'll use the WISP both as an employee-facing document and one you'll want to provide to regulators, you will want to draft your WISP in a clear, concise, and useful way.

Project management corner: Who should do what?

Because assigning ownership is the key to success on every project, here are a few words on how I would divvy up responsibilities:

Lawyers:

  • What:
    • Project-managing the creation of the WISP;
    • Identifying gaps in the WISP requirements; and
    • Crafting a complete, camera-ready WISP.
  • Why they should own it: The lawyers have the strongest incentive to draft a good WISP because, in the event of breach-related litigation or governmental investigations, they'll be the ones using the WISP to show that the company implemented reasonable security measures.

Security engineers and IT:

  • What: Creating the content (the risk assessment, vendor security assessment process, employee training, etc.).
  • Why they should own it: It's their job.

Fin.