It is becoming common knowledge that the barrage of data security breaches, including the recent Yahoo and Experian breaches, can cause severe disruptions, financial costs, and liabilities in the workplace. As Yahoo’s now ex-General Counsel and former top security officials from Experian could attest, heads can roll following a data security breach. In-house counsel—who regularly help their companies balance business realities and legal requirements—are at particular risk of being “scapegoated” for organizational failures that lead to major breaches. The best way to protect the company and preserve the counsel’s job security is to proactively help identify and address data protection and cyber security issues. Here are three action items to consider in assuming this data leadership role.
1. Review and Improve the Existing Data Security Program
Counsel should ensure that their company maintains a robust and annually updated data security program. This includes a written information security plan (WISP) and, ideally, both an incident response plan to guide the company’s actions in the event of a major breach, as well as an emergency response plan to ensure business continuity and data recovery in the event of a disaster or major computer event. This review should include consideration of:
- The extent and importance of all sensitive data the company retains, including intellectual property and customer lists not typically protected by state or federal data laws.
- The locations of such information in both paper and electronic formats.
- The operational, technical, and policy protections that are in place to minimize opportunities for data loss and intentional theft.
- The insurance coverages, if any, that would help secure reimbursement of ensuing costs or losses.
Many businesses have weak or outdated programs, or focus almost entirely on IT protections. These poorly documented plans, often completed without legal input, fail to address organization-wide risks. Counsel can minimize company risks and protect themselves from blame following a breach by conducting a review and internally advocating for improvements if the program is incomplete, outdated, or ineffective. Outside technical and legal expertise is also recommended to ensure a complete review, but this should not delay initial priority efforts to identify any likely program weaknesses.
2. Keep Top Management Informed
Counsel should seek to help ensure that top company management remains well-informed on data security issues. If a company holds significant business-critical data, the data security program and related practices should be a “C-Level” issue that is regularly discussed by the board of directors and other top management. If it is not (and data issues remain out of sight at many companies), counsel should advocate internally to change this top-level negligence. Counsel should encourage the company’s management to devote attention and resources to its data security program, commensurate to the importance of the sensitive data to the company’s long-term success.
3. Support Advance Planning for Breach and Emergency Response
Companies often find themselves unprepared for major data thefts, losses, or business-affecting emergencies. If the company does not have a written incident response plan as part of its WISP, counsel should push to develop one that includes consideration of:
- The key members, identified by name and contact information, who will be needed to manage a potential breach, including in-house team (WISP responsible manager, IT, HR, operations) and external consultants/resources (outside breach counsel, computer forensics, computer auditing, PR/crisis management).
- Key actions to be taken in the initial hours, days, and weeks after discovery, including engaging breach counsel, documenting date/time of discovery, securing area, undertaking an immediate forensics investigation in the event of a system hack, and undertaking preliminary interviews of involved employees.
- Contact insurance brokers to confirm potentially applicable coverages and issue required notices.
The same plan development imperatives apply to emergency response plans that address business continuation and recovery in the wake of disasters or major computer events.
In sum, a data security program is only as good as its weakest link. Counsel can avoid blame in the event of a breach by attending to data security issues and seeking to fix weak links overlooked by busy company executives. Counsel should do their jobs—and in so doing protect their jobs—by pushing for advance planning relating to these major events, and by being a team player in helping the company to execute these plans in the event they are needed.