Imagine you are the manager of a bank that has just been robbed. The police gather evidence from the crime scene to try to identify the robbers. Then a federal official arrives to advise that you’re being fined for not doing more to prevent the theft. Then some state officials arrive to say that they’re fining the bank too, because some of your customers were residents of their states. Then you learn that you’re being sued by the customers whose money was taken.
For many companies in the United States, this scenario is playing out with increasing frequency following breaches in cyberspace. Securing your company’s network and protecting your valuable data is difficult enough in today’s Internet-driven economy. But to be treated by regulators and courts like an accessory to the crime after you’ve been hacked is truly adding insult to injury.
Or rather, adding injury to injury. Because defending your company against enforcement actions and class action litigation places financial burdens on the company at a time when it is coming to terms with the reputational and economic damages inflicted by the attack—and paying the costs associated with protecting customers.
The Federal Trade Commission and many state attorneys general have already marked their territory when it comes to data breaches, and the number of class action suits against companies that have been victims of breaches is growing steadily. Recent reports suggest the Securities and Exchange Commission may be taking another step toward official rules on cyber disclosures, which means companies could face even more regulatory scrutiny—and shareholder litigation—in the years ahead.
In this environment, companies have to move aggressively and proactively to prevent—and mitigate the consequences of—a breach. The single most important step a general counsel can take is to engage in a comprehensive review of the company’s information governance before a breach occurs. Not only will this type of proactive review help reduce the risks of a breach, it also will be an important part of your company’s defense in the litigation and enforcement proceedings that are likely to follow.
Simply put, regulators and courts will be far less likely to blame the victim company for the breach if that company can demonstrate the steps it took in advance to protect its data and reduce its risks.
This type of review requires more than just the IT department, or even an outside network security firm—it also involves a host of legal issues. Moreover, in order to ensure attorney-client privilege for the results of such a thorough review, it is best to have it commissioned by outside counsel.
To maximize the protection for the company, the review should address the following nine areas:
1. Review privacy notices and practices
Compare your privacy notice with your company’s actual practices to make sure you’re doing what you say you’re doing. Otherwise you could be in the sights of the FTC for deceptive trade practices.
