In-house counsel should be able to answer these questions about his or her organization’s legal and business cybersecurity risk profile
BY DAVID FAGAN, JAMES GARLAND, KURT WIMMER
FEBRUARY 19, 2015
In the wake of the much publicized North Korean cyber-attacks against Sony — as well as recent favorable rulings for the plaintiffs in class action lawsuits pending against Target — cybersecurity is at the forefront of many corporate boards’ and general counsels’ agendas for the coming year. The focus is only likely to increase in light of the legislative proposals recently announced by President Obama and featured in his State of the Union address. Here are five foundational questions that every in-house counsel should understand when evaluating his or her organization’s legal and business cybersecurity risk profile:
1. What actions has your company taken to reduce the likelihood and impact of potential cyber intrusions?
Many companies implement controls that focus on protecting their networks and systems against incursions by external attackers, but they have less developed approaches to security once an attacker gets into the network. Such an approach may not adequately safeguard the “crown jewels” of a company’s enterprise, including valuable trade secrets, sensitive personal information, financial information, business plans and health records. Indeed, given the multiple potential sources for compromise, a more comprehensive approach that develops heightened security controls around the most sensitive data and assets is essential to reduce the risk to the organization.
This is important not only for managing the business risks associated with cybersecurity, but also reducing exposure to legal risks; business partners, regulators and other finders of fact may all increasingly consider such a defense-in-depth approach to security a necessary and reasonable standard of care. In turn, counsel can play an important role in working with internal IT and security experts and other critical business functions to develop an appropriate data classification approach and ensure that the most sensitive data and assets receive heightened protection.
2. Has your company established and tested an incident response plan?
A critical aspect of minimizing the costs of potential incidents is preparing for them in advance. This requires the development and maintenance of a written incident response plan as part of an overall information security program and testing the plan through simulations, including table top exercises that bring together key officers from that multiple functions and disciplines that are relevant to breach response (e.g., CIO/IT, security, legal, finance, HR, business units, etc.). Such a plan ultimately will not be a precise script for when an incident occurs, but it will help ensure that the right team and procedures have been identified in advance.
This is important not only to help expedite a response, but also to address regulatory risks and ensure that the company can be prepared to preserve applicable legal privileges in the event of a breach. If a breach becomes subject to regulatory scrutiny, the company will need to demonstrate that it had a reasonable plan in place to address incidents and made a good faith effort to follow that plan.