BACK
Article
July 2015
What does a General Counsel Fear the most in the Digital Age?
By Glenn D. de Gruy
Senior Partner
Assisted by Greer Hopkins, Director
Law schools lag behind in teaching cybersecurity, social media, and crisis management. Seasoned general counsel have been slow to catch up in learning how to mitigate data breaches. Continuing legal education (CLE), while required to maintain a current legal license, is often selected not based on topic but by convenience, location, and schedule. Administered on a state-by-state basis through the state supreme courts, the only CLE topics required are often Ethics, Substance abuse, and Professionalism. With billion dollar multinational corporations torn between the growing demand for managed enterprise solutions and the publicity nightmare of a data breach in the age of cloud computing, corporate attorneys cannot fail to have a firm grasp of cybersecurity, global regulations, and data use and security policies.
As organizations shift the majority of data and resources to a cloud or hosted environment, general counsel must understand the legal implications of moving that data and mitigating the associated risk. For general counsel, expertise in cybersecurity is critical to a corporation’s bottom line. Major cyber-attacks on CVS, Target, Home Depot, Sony, Anthem, JPMorgan Chase, and even the federal government, have heightened concerns about digital security. Customer encrypted passwords and credit card numbers are vulnerable to leaks, with dire consequences. The liability and potential class-action litigation that can erupt from large-scale attacks on public and private organizations can be incredibly costly.
As part of the executive team, general counsel must work with the heads of IT and security to ensure that robust security systems are in place. They must help to create procedures and policies to help to prevent an attack. Many CIOs are unprepared and untrained for security breaches and resulting legal implications. General counsel needs to take the lead. The courts, public opinion and the federal government have made it clear that cybersecurity and data privacy are front-burner issues. Taking steps, such as adding data security measures, preparing policies and procedures, and conducting training, are all important building blocks to a sound cybersecurity and data privacy program. A proactive general counsel must generate a data breach aftermath plan and not just wait for the worst to be realized. Failure to have a contingency plan is a costly mistake. Developing company-wide data breach recovery plans with the CIO/CTO, chief compliance officer, CFO, and chief risk/security officer can be the difference between a leak being quickly controlled and a public relations nightmare. Being prepared for potentially catastrophic events gives stakeholders, regulators, banks, customers, and shareholders confidence and trust in the organizations with which they do business.
Hackers and foreign governments are not the most immediate threat. Employees with access to company records must be trained to understand the organization’s current security policies and how to safeguard the company’s assets. Creating a culture of strong internal data use and security policies and the business leaders’ communication to workers of these polices, can prevent customer social security numbers, birthdates, salaries, and healthcare information being disseminated either through human error or malicious intent. The most common breaches are often loss and theft of a corporate or business partner asset (laptop or smartphone), phishing, an external attack targeting a business partner, and inadvertent misuse by an employee.
In July 2015, the Global Commission on Internet Governance reached the conclusion that cyberspace is slowly getting safer, although large scale attacks on public and private organizations remain a major concern. Concerted and coordinated international efforts in 2013 and 2014 by law enforcement agencies, regulators, and private companies have helped stem many occurrences. However, fears remain and the threat of large, costly breaches looms large. Educated and prepared general counsel can face this fear, and in doing so, strengthen the organization they help lead.
Senior Partner
Assisted by Greer Hopkins, Director
Law schools lag behind in teaching cybersecurity, social media, and crisis management. Seasoned general counsel have been slow to catch up in learning how to mitigate data breaches. Continuing legal education (CLE), while required to maintain a current legal license, is often selected not based on topic but by convenience, location, and schedule. Administered on a state-by-state basis through the state supreme courts, the only CLE topics required are often Ethics, Substance abuse, and Professionalism. With billion dollar multinational corporations torn between the growing demand for managed enterprise solutions and the publicity nightmare of a data breach in the age of cloud computing, corporate attorneys cannot fail to have a firm grasp of cybersecurity, global regulations, and data use and security policies.
As organizations shift the majority of data and resources to a cloud or hosted environment, general counsel must understand the legal implications of moving that data and mitigating the associated risk. For general counsel, expertise in cybersecurity is critical to a corporation’s bottom line. Major cyber-attacks on CVS, Target, Home Depot, Sony, Anthem, JPMorgan Chase, and even the federal government, have heightened concerns about digital security. Customer encrypted passwords and credit card numbers are vulnerable to leaks, with dire consequences. The liability and potential class-action litigation that can erupt from large-scale attacks on public and private organizations can be incredibly costly.
As part of the executive team, general counsel must work with the heads of IT and security to ensure that robust security systems are in place. They must help to create procedures and policies to help to prevent an attack. Many CIOs are unprepared and untrained for security breaches and resulting legal implications. General counsel needs to take the lead. The courts, public opinion and the federal government have made it clear that cybersecurity and data privacy are front-burner issues. Taking steps, such as adding data security measures, preparing policies and procedures, and conducting training, are all important building blocks to a sound cybersecurity and data privacy program. A proactive general counsel must generate a data breach aftermath plan and not just wait for the worst to be realized. Failure to have a contingency plan is a costly mistake. Developing company-wide data breach recovery plans with the CIO/CTO, chief compliance officer, CFO, and chief risk/security officer can be the difference between a leak being quickly controlled and a public relations nightmare. Being prepared for potentially catastrophic events gives stakeholders, regulators, banks, customers, and shareholders confidence and trust in the organizations with which they do business.
Hackers and foreign governments are not the most immediate threat. Employees with access to company records must be trained to understand the organization’s current security policies and how to safeguard the company’s assets. Creating a culture of strong internal data use and security policies and the business leaders’ communication to workers of these polices, can prevent customer social security numbers, birthdates, salaries, and healthcare information being disseminated either through human error or malicious intent. The most common breaches are often loss and theft of a corporate or business partner asset (laptop or smartphone), phishing, an external attack targeting a business partner, and inadvertent misuse by an employee.
In July 2015, the Global Commission on Internet Governance reached the conclusion that cyberspace is slowly getting safer, although large scale attacks on public and private organizations remain a major concern. Concerted and coordinated international efforts in 2013 and 2014 by law enforcement agencies, regulators, and private companies have helped stem many occurrences. However, fears remain and the threat of large, costly breaches looms large. Educated and prepared general counsel can face this fear, and in doing so, strengthen the organization they help lead.
