As general counsel become increasingly involved in corporate cybercrime issues, data security is sure to be a hot-button topic for legal departments in 2017. So we talked with David Remnitz (DR), who leads Ernst & Young’s (EY) global forensic technology and discovery services practice and has more than 25 years consulting with companies, regulators and law enforcement on cybercrime response; and with Timothy Ryan (TR), an EY principal in cyber investigations and forensic technology. Here’s what they see coming in 2017:
Q: Surveys tell us that general counsel have become the go-to person for handling matters arising from a data breach. Are you seeing that ?
DR: Yes, we are seeing chief legal officers and GCs involved as the nucleus including the chief information officer, the chief risk officer in some instances, often a chief information security officer, and all the way up to the board of directors, along with outside counsel.
TR: In breach response, like any action that carries the possibility of litigation, general counsel better be involved. I frequently say that you can either work on preparing for a breach or you can wait for one to happen, but on breach day you will be enmeshed. Unlike the old days, there is no way that a GC cannot be involved in a breach response.
Q: What sort of trends are you seeing in cybersecurity?
DR: We are seeing an enlightened awareness of insider threats—risks brought by employees, contractors and trusted partners who are misusing information or taking information through inappropriate means for inappropriate purposes. And we are seeing increased hacking by external groups—defacing or disabling public websites, or stealing information of value, such as medical records, intellectual property information and financial data.
TR: We are also seeing that large breaches we investigate are frequently the product of a smaller unmitigated incident. There are often a series of small steps that go back months or years when the company saw something that needed fixing and it didn’t get fixed. Regulators are constantly looking at how companies prepare for a breach. A breach alone is not a scarlet letter (to regulators), but failing to prepare for one is. And we’re seeing that board members are increasingly concerned about not only risk to the company but also personal liability.
Q: What else should GCs expect in 2017?
TR: I would not be surprised in 2017 if we see a federal data breach law. Will it be more of a privacy law, or an information security law? For example, a hospital being shut down and machines taken offline for a while due to malware normally is not a reportable event, but we might see that it becomes one in 2017.
DR: We’ll see increased participation and policy development around mobile computing and telecommuting. And increased board-level cyber awareness and involvement, along with increased participation by the C-suite. We are just beginning to see that now, with the CEO of one of the biggest companies in America now sitting on the company cyber advisory committee.