This is the first of four articles brought to you by an information security attorney aimed to help corporate counsel understand threats, mitigation and legal nuances relating to information security.
It’s not new for inside or in-house counsel to wear many hats, such as advising their organizations on transactions, employment issues, merger or acquisition discussions, bankruptcy filings, trade secret and intellectual property protection, and more. However, one issue that most corporate attorneys have yet to take on is dealing with the legal risks posed by information security issues.
There are, of course, understandable reasons for this passive oversight. To date, the functional protection of information has fallen mainly in the hands of the information technology group.
Inside counsel today are taking on new responsibilities when it comes to information and technology, from eDiscovery management working with technology like Relativity to support their litigation management needs, to establishing policies relating to pre-litigation planning, and even participating in document review management.
Being security-savvy is quickly making its way up the list of skills inside counsel must possess. In fact, information security and new legislation have brought information security matters to the doorsteps of in-house counsel, but a vast majority are unprepared to handle such breaches.
It will happen to you (eventually)
We’re all familiar with the stories of what seem to be daily information security breaches that have affected companies like Target, Home Depot, Niemen Marcus, Sony and others. Too often, we see businesses adopt a “security by obscurity” mindset, or the belief that “it just won’t happen to us.” But with a growing number of data breaches occurring, it seems that merely trying to remain undiscovered (or under-protected) will prove to be a foolish approach in the long term.
Statistics report that of 500 large U.S. companies, more than 125 had or currently have advanced persistent threats within their organization that were or are currently sending information, documents and intelligence to third parties. These third parties include malicious hackers, paid hackers-for-hire in commercial espionage scenarios, and even hackers associated with hostile governments.
Are you really, truly prepared?
Few in-house counsel truly consider the fallout that would occur in the event of an information security breach. Stories of hackers obtaining trade secret information, attorney-client communication or work product, social security numbers and other demographics are harrowing enough on their face. Consider the costs of investigating such a breach and the imminent litigation following the loss of such intimate customer data. Also consider what effect your trade secret data in the hands of your competitors would have.
A flurry of questions arises in the boardroom in the event of an information security breach. For example, would you even know if data went missing? When was it taken, and who took it? Do they still have access to our data, or our customers’ data? What if this gets public and ruins our reputation? How will we recover? Who is held accountable within the organization?
Answering these questions and others can be extremely difficult and expensive. It requires security consultants, attorneys, auditors, advisors and in some cases, law enforcement assistance. Investigations can take years to fully understand and fix, and often times, the reputational damage is simply irreversible.
The more prepared your organization is for a data breach, the better your odds are of surviving a breach.
In my next article I’ll begin to uncover the top threats hackers use to obtain the information and access they desire. The three most common threats include:
- The use of social engineering attacks;
- Technical vulnerabilities and exploits;
- Bad actors, such as disgruntled insiders or departed employees.
As inside counsel, it’s your responsibility to understand the nature of these threats in order to assess the legal risks posed and how to best protect your organization.