We would advise our clients working in close connection with those entities which qualify as “critical infrastructure“ which largely means energy, health care, transportation, financial services, heavy manufacturing, food and drugs to ensure the following best practices to ensure legal compliance:
Do you have a data breach plan in place? If you store any individual’s personally identifiable information, including credit cards, or other sensitive information, you should already have a plan in place that complies with many state laws so you can report any breaches to the appropriate authorities. This plan should include the technological response to mitigate the harm and reporting requirements to the appropriate agencies.
Are you in compliance with national security transparency concerns? If you do business with any federal agencies, or companies that do, start asking them what they think is appropriate for your situation. If you are in a heavily regulated industry or would be considered “critical infrastructure,” your requirements are likely to be dictated by the National Institute of Standards and Technology (NIST) or your specific industry regulators.
Do you have Written Information Security Plans or WISPs? If you are doing business with any “critical infrastructure.” You should be prepared to provide notices and information about data breaches.
ANOTHER Important question! How much will you have to disclose while still not disclosing too much personal privacy? You need to make sure you and your contractors have plans in place!
What is your policy for periodic risk audits and how effectively do you use it to address your vulnerabilities.