Source: Above the Law | David Lat | October 19, 2016
Cybersecurity is — and should be — a major concern for lawyers. Earlier this year, for example, we learned about Russian hackers targeting top Biglaw firms.
But cybersecurity isn’t just an issue for attorneys in law firms. It also presents challenges for in-house lawyers, who often find themselves on the front lines of response when the companies they represent get hacked, exposing the private, confidential information of thousands or even millions of customers. Some say that if you work for a big enough company, it’s not a matter of if you’ll be hacked, but when.
Given the importance of cybersecurity for corporate America, boards of directors need to focus on this issue. In-house lawyers can and should play a crucial role in helping the board understand and act on cybersecurity — as discussed in “Getting the Board on Board: Explaining Privacy and Security Risks to the Board,” a session at the 2016 Annual Meeting of the Association of Corporate Counsel (ACC), featuring the following panelists:
- Olga Mack (moderator), General Counsel, ClearSlide, Inc.
- Julie Gruber, EVP, Global General Counsel, Chief Compliance Officer and Corporate Secretary, Gap, Inc.
- Edward T. Paulis III, VP & Assistant General Counsel, Zurich North America
- Steven Walker, General Counsel & Managing Director, National Association of Corporate Directors
- Felix Wittern, Partner, Fachanwalt für IT-Recht, Mediator, Fieldfisher
(Olga Mack’s name should ring a bell for Above the Law readers; she is one of our in-house columnists.)
Executives ignore cybersecurity and privacy issues at their peril. Felix Wittern mentioned one company where the CEO and general counsel failed to address cybersecurity adequately. On the bright side, because of many high-profile data breaches, companies and their leaders are sitting up and paying attention. Steven Walker, who deals with many board members through his work at the NACD, said that he feels better about cyber and privacy issues today compared to a few years ago.
“This is theft,” said Paulis, describing his view of hacking and cybersecurity violations. “You need to have shotgun riders on your stagecoaches. The board must be proactive.”
Of course, it’s not possible to eliminate all threats to cybersecurity — and every reduction of risk comes with cost. Deciding how far a company will go in protecting itself against cyber threats is a board-level decision, according to Paulis. The analysis should begin with figuring out where your valuable information is and what your vulnerabilities are, and then proceed to analyzing what resources should be spent to protect what data.
A company needs to figure out where it wants to be in the pack on cybersecurity, Gruber said. Not every company can be a leader on this issue; depending on the nature of your company, the risks you face, and the investment required to reduce those risks, you might be content to be in the middle rather than at the front of the pack. At the same time, Gruber added, “you don’t want to be the slowest bear in the woods” — because hackers are very good at detecting and exploiting vulnerabilities.
So how should a board of directors address cybersecurity and privacy issues? The panelists offered several recommendations.
1. Board minutes should reflect discussion of cybersecurity and privacy issues. This analysis should include an express weighing of risks, and boards need to ask harder and harder questions of company executives, Gruber said.
2. Involve the whole board. “Risk is a full team sport,” Walker said. So these issues shouldn’t just be dumped entirely on the audit committee; rather, multiple committees and the full board should be involved.
3. Don’t have a designated “cyber expert” board member. This risks making the other board members complacent on cybersecurity and privacy. A director’s duty to ask tough questions can’t be delegated, Paulis stressed; all board members need to be up to speed.
4. Use current events to frame discussion. One way to get a board’s attention and focus is to use a recent data breach in the news — because there always is one, Gruber noted — as a jumping-off point. This can give a concreteness and urgency to the analysis.
5. Trust, but verify. Directors should have access to outside experts who can give them a level of comfort about management’s approach to cybersecurity issues.
6. Hire vendors and other third parties to evaluate and enhance your cybersecurity framework. Unless you work for a cybersecurity company, odds are that you don’t have the proper resources in-house to adequately protect yourself against the latest threats. Retain a good vendor before you face a crisis, and work with that vendor to test your systems a few times a year — i.e., run a “fire drill” that lets you practice implementing your data incident response plan.
7. Insurance isn’t a panacea. Some insurers are working on models for insuring against cyberthreats, but this market is still nascent. Pricing and scope of coverage remain uncertain, and policies can be expensive (so some companies choose to self-insure).
8. Work with your non-legal colleagues to educate and inform the board. In-house lawyers have an important role when it comes to cybersecurity and privacy, given the legal and regulatory issues involved, but they are by no means the only players. Olga Mack urged lawyers to work with all the appropriate colleagues — the chief technology officer (CTO), the chief information security officer (CISO), the head of human resources — to help the board deal with these complex subjects.
Regardless of what approach a company decides to take on cybersecurity and privacy, that approach should not be static. The technological landscape and the threats to cybersecurity are constantly changing — so in-house lawyers and corporate boards must be ready and willing to change as well.
David Lat is the founder and managing editor of Above the Law and the author of Supreme Ambitions: A Novel. You can connect with David onTwitter (@DavidLat), LinkedIn, and Facebook, and you can reach him by email at firstname.lastname@example.org.