The growing threat of cybercrime has motivated lawmakers to consider how to pass fair laws for both individuals and corporations. Europe was the first to establish a data protection law with the enactment of the General Data Protection Regulation (GDPR). The prevalence of cybercrime and the emergence of new laws are forcing boards and their general counsels to work closely together with the chief information security officer (CISO) to make decisions about how to protect the company against cyberattacks, respond to data breaches and other attacks, and remain in compliance with applicable data protection laws within their own regions and around the world.
Past risk governance models worked well for physical and financial risks, but they fail to provide adequate protection for cyber risk. If a situation occurs, it's better for boards and their general counsel to get involved early on to prevent a full-blown crisis. Cybercrime calls for a team effort by the board, senior executives and the CISO. All three parties need to come to an agreement on how to properly handle cyber risks.
In addition to their other responsibilities, general counsels need to add tackling the problem of cyber risk to their existing duties. Beyond just adding cyber risk to their list of issues to deal with, they also must elevate its priority. The main question for general counsels to be asking is whether the company could face litigation over cyber risk and how they should be preparing to address it.
Cyber risk places general counsels in a challenging position considering the level of transparency that board members, consumers and regulators expect.
The General Counsel's Role in Cybersecurity
Some of the risks that companies are counting on their general counsels to help address are the loss of key data, legal penalties, regulatory penalties and issues related to the company's reputation.
Recent statistics show that cybersecurity is rightly becoming a deepening priority for general counsels. According to the Association of Corporate Counsel's Chief Legal Officers 2018 Survey, over 25% of general counsels said that their companies had been victims of a data breach within the last two years versus 22% that reported a data breach in 2016. The initial reports of a data breach are often under-reported. For example, the Equifax breach in 2017 remains one of the most concerning data breaches to date.
The initial estimate of affected accounts was stated to be 143 million. Subsequent reports increased that number to 145.5 million and the company later increased it a bit more, to 147.9 million. It's necessary for general counsels to have a minimum of cybersecurity knowledge and experience, which adds to the existing heavy responsibilities that they already have on their plate.
It's not necessary for general counsels to have all the same technical information as an IT specialist, but they should be familiar with all the technical terms and have a basic understanding of them. They also need to be aware that cyberattacks can occur suddenly and can escalate rapidly.
Because of the seriousness of cyberattacks, general counsels need to re-evaluate their priorities and consider whether cybersecurity needs to be moved up on their list of priorities.
New legal concerns call for getting the legal team together and exploring answers to questions like the following:
- What type of data and other personal information does our company store?
- If that data were lost or stolen, what impact would it have on the company?
- What data would be important to a cybercriminal if they could get their hands on it?
- What best practices does the company already have in place?
- Which of the company's systems are the most vulnerable?
General Counsels Need New Skills
There's no doubt that today's corporations need highly skilled attorneys because of the litigiousness of our society. Beyond that, they must have knowledge of new digital tools and be willing to use them.
The reality is that technical developments are occurring rapidly, even before laws are being created to determine what is and isn't legal. As a result, general counsels are continually being put in positions that cause them to have to make legal and ethical decisions and guide their boards and executives accordingly.
It's imperative that general counsels don't underestimate the speed at which cyber risks can occur. When fax machines were the quickest method of sharing information, all attorneys needed to do was compose a cease-and-desist letter to shut down problems like unapproved solicitations. Today, the media regularly reports cases where everyday people are capturing live incidents with their smartphones and broadcasting them widely, causing them to go viral within seconds or minutes. These types of incidents give general counsels little or no time to react and to prepare a proper response. For example, the Wells Fargo fraud incident quickly worsened as everyday people posted clips of the congressional hearings across social media outlets. This information informed the public of the details and damaged Wells Fargo's reputation even further.
The best general counsels are not only good attorneys, but they're advocates and change leaders. They hold regular tabletop exercises to stimulate various crisis situations. They're vocal about maintaining ethics and integrity despite the lack of existing laws related to cybercrime and cybersecurity. They work with regulators, CISOs, IT staff and other stakeholders to inform the conversation about creating appropriate laws and regulations to best deal with the new types of digital problems that today's corporations are experiencing.
To be effective, general counsels need to study the threats that other companies are facing and make plans to counteract them expediently. Attorneys have much to learn from the past mistakes of other companies as well as from their own mistakes.
By taking a proactive stance and continually being engaged in defense of the company's reputation, general counsels place themselves in the best position to protect against reputational risk. A comprehensive crisis management plan is the best defense to detect trouble before it hits and causes a crisis that's difficult, if not challenging, to recover from. The public will be more inclined to forgive an incident where a company was blindsided, but prepared, rather than one that allowed repeated breaches to occur.
Finally, general counsels should consider that data breaches are almost certain to occur. When they do, they become the true test of a general counsel's competency. Rather than having to fear a data breach or cybercrime, proper preparation with cybersecurity presents an opportunity for companies and their general counsels to shine.