In-House Counsel as Cybersecurity First-Line Defenders

The business world today is dramatically different than it was just a couple years ago. Out of necessity and convenience, companies have become increasingly reliant on newer technologies, such as cloud-based applications and mobile platforms. As such, the separation between corporate and personal devices has blurred as employees regularly use their own hardware to access corporate networks and conduct work on behalf of their employers. Meanwhile, data volumes continue to escalate at an incredible rate, making data management a top-of-mind challenge for many organizations. These changes to the enterprise IT infrastructure mean that, more than ever, corporations need to have cybersecurity policies and plans in place to help safeguard corporate data and minimize exposure to legal and regulatory risks.

While in-house counsel may not have an in-depth knowledge of a company’s data environment, they are still critical first-line defenders in the fight for cybersecurity. From education to policy development to developing response plans, corporate counsel play a significant role in ensuring corporate data remains secure and in mitigating liability should a breach occur.

Understanding Cybersecurity

If in-house counsel are to effectively serve as champions of cybersecurity, they must first develop a thorough understanding of the problem.

First, know that no industry is safe from a cyberattack. True, some sectors assume a disproportionate percentage of overall data breaches. For example, according to our “2013 Trustwave Global Security Report,” in 2012, the retail industry made up 45 percent of all data breach investigations—the highest of any sector. Still, cyberattacks occur across all businesses, regardless of size, sophistication, or product type. Furthermore, certain industries are governed by regulations that can dramatically increase the cost associated with a data breach. For example, the Graham-Leach-Bliley Act contains provisions that require financial services companies to establish privacy safeguards to protect consumer information and to alert consumers in the event of a data breach. Likewise if an organization handles cardholder information for credit or debit card purchases, it must abide by the Payment Card Industry Data Security Standard (PCI DSS), a set of industry-issued security requirements. Noncompliance with PCI DSS not only makes cardholder information vulnerable to cyberattacks, but it can also result in card companies levying major monetary penalties against the organization in possession of the cardholder information.

Second, understand that data breaches can affect anyone who has a relationship with the company. Customer and employee data are likely targets for attacks because of the sensitive nature of this information. But other parties stand to be affected by a data breach as well, including vendors, suppliers, shareholders, and investors. Once again, there are laws and regulations that protect certain parties that can increase the damage of a security breach. For instance, the Health Insurance Portability and Accountability Act (HIPAA) establishes privacy protocols for the protection of employee health-related information.

Third, understand the types of harm that a single data breach can invite. Obviously, there are a number of significant costs associated with data breaches—outside counsel and forensic investigation fees, the resources and time required to conduct an investigation, business interruption, potential regulatory fines, and potential notification costs, to name a few examples. Data breaches can also result in unquantifiable costs, such as reputational damage, that can have a long-lasting impact on customer trust and the organization’s bottom line.

Finally, in-house counsel should have a basic overview of the types of activities that can result in a cybersecurity breach. Not all data breaches are the result of a malicious cyber-attack. True, external hackers and disgruntled employees are likely perpetrators of cybercrimes. However, many data breaches are caused by a lack of education or an oversight by an otherwise trustworthy employee. For example, if an employee establishes a weak password to protect access to information on the corporate network, an external hacker can easily exploit the weakness to gain entry to sensitive information.

Establishing Policies

Featured Firms

Law Offices of Gary Martin Hays & Associates P.C.

75 Ponce De Leon Ave NE Ste 101

Atlanta, GA 30308

(470) 294-1674

www.garymartinhays.com

Law Offices of Mark E. Salomone

2 Oliver St #608

Boston, MA 02109

(857) 444-6468

www.marksalomone.com

Smith & Hassler

1225 N Loop W #525

Houston, TX 77008

(713) 739-1250

www.smithandhassler.com

Presented by BigVoodoo

More From ALM

As generative artificial intelligence inspires one of the biggest transformations in generations, Practical Guidance continues to provide the latest tips to help you prepare for the rapid evolution in the way attorneys work.

Practical Guidance Journal: Protecting Work Product in a Generative AI World

Brought to you by LexisNexis®
Download Now

The recent SEC release comes with significant changes for private fund managers. Hear expert insights on what happened, what it means, and what the compliance considerations are.

Countdown to Compliance: SEC Private Fund Reforms

Brought to you by Ontra
Download Now

Find out what features make a code of conduct most effective. Hint: it’s not just the rules.

9 Ethical Code of Conduct Examples for the Business Professional

Brought to you by LRN
Download Now

Premium Subscription

With this subscription you will receive unlimited access to high quality, online, on-demand premium content from well-respected faculty in the legal industry. This is perfect for attorneys licensed in multiple jurisdictions or for attorneys that have fulfilled their CLE requirement but need to access resourceful information for their practice areas.
View Now

Team Accounts

Our Team Account subscription service is for legal teams of four or more attorneys. Each attorney is granted unlimited access to high quality, on-demand premium content from well-respected faculty in the legal industry along with administrative access to easily manage CLE for the entire team.
View Now

Bundle Subscriptions

Gain access to some of the most knowledgeable and experienced attorneys with our 2 bundle options! Our Compliance bundles are curated by CLE Counselors and include current legal topics and challenges within the industry. Our second option allows you to build your bundle and strategically select the content that pertains to your needs. Both options are priced the same.
View Now

From Data to Decisions

Dynamically explore and compare data on law firms, companies, individual lawyers, and industry trends.

Exclusive Depth and Reach.

Law.com Compass includes access to our exclusive industry reports, combining the unmatched expertise of our analyst team with ALM’s deep bench of proprietary information to provide insights that can’t be found anywhere else.

Big Pictures and Fine Details

Law.com Compass delivers you the full scope of information, from the rankings of the Am Law 200 and NLJ 500 to intricate details and comparisons of firms’ financials, staffing, clients, news and events.

General Counsel Summit (GCS) 2024

August 12, 2024 - August 13, 2024
Sydney, New South Wales

General Counsel Summit is the premier event for in-house counsel, hosting esteemed legal minds from all sectors of the economy.

Learn More

General Counsel Conference Southwest 2024

September 18, 2024 - September 19, 2024
Dallas, TX

Join General Counsel and Senior Legal Leaders at the Premier Forum Designed For and by General Counsel from Fortune 1000 Companies

Learn More

Women, Influence & Power in Law (WIPL) 2024

September 23, 2024 - September 24, 2024
Chicago, IL

WIPL is the original global forum facilitating women-to-women exchange on leadership and legal issues.

Learn More