In a recent survey , LexisNexis® found that many in-house counsel look forward to a future where Artificial Intelligence (AI) tools will improve their workflow.
Lexis+ AI™ eliminates hours...
This post was originally published in October 2019 and updated in September 2023.
Handling tax issues will never be considered an easy, pleasant experience, which is why so many taxpayers look to attorneys...
What is Practical Guidance?
Practical Guidance is a highly valuable resource for corporate legal professionals, including legal OPS, general counsel, in-house counsel and paralegals.
It enables lawyers...
In-house counsel are facing simultaneous headwinds of rising internal demands and pressures to control spending in an uncertain economic climate. Roughly one in four in-house counsel are anticipating decreased...
General counsels and in-house legal teams are often faced with an increasingly complex and fast-paced set of legal and compliance challenges. They are overwhelmed by repetitive, lower value requests and...
By: Chad Perlov
Businesses around the world are fighting a common battle against an exponentially growing wave of cybersecurity threats. In fact, 87% of organizations have already experienced an attempted exploit of an existing vulnerability, according to a recent Check Point Research security report. This battle only intensified in 2020, with Law360® Pulse reporting that 41% of business owners experienced an increase in cyberattacks since the start of the COVID-19 pandemic.
Despite this increase, an IDG Research Services survey found that nearly 78% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks, despite increased investments made in 2020 to deal with distributed IT and work-from-home challenges.
Given the increase in cybersecurity threats and the profound financial, legal and reputational harm a company may suffer due to a data breach, it is critical for in-house counsel to prioritize cybersecurity risk management as one of the first areas to address when building out a legal department. Below is a non-exhaustive list of key steps attorneys should consider when developing a cybersecurity risk management strategy.
The first step companies typically take to minimize risk is developing a company-wide program for protecting the security and privacy of information received or generated by the corporation and/or stored in company systems.
An attorney’s role in creating and advising on a cybersecurity program is far more involved than merely drafting policies and procedures for maintaining and securing the corporation’s confidential materials and non-public personal information. You should be prepared to advise on a wide range of technical, administrative and regulatory matters including:
Resources such as a cybersecurity resilience implementation plan offer a good starting point for understanding the underlying issues companies must address in order to implement an effective, yet practical, cybersecurity program.
Companies are increasingly relying on cybersecurity insurance as a critical tool for mitigating the financial risk associated with the failure of any administrative, technical or physical cybersecurity control measures. The corporate specialty division of German insurer Allianz recently reported a 950% increase in cyber-insurance claims from 2016 to 2019, and even greater acceleration last year with the shift to remote working, according to the Law360® service, with the average cost to a business of a cyberattack last year soaring to $13 million.
Before purchasing cybersecurity insurance, you should carefully assess the type and scope of coverage needed to address your company’s risk profile by, for example:
Ransomware attacks have become a prevalent cybersecurity threat that pose significant legal and financial risks to organizations. On average, a new organization becomes a victim of ransomware every 10 seconds worldwide, according to an InfoSecurity® Magazine analysis. Without a thoughtful ransomware prevention and response plan, a company risks being doubly harmed by the attack itself and then by the litigation and regulatory consequences that may follow.
Common examples of how corporate legal departments can play an active role in establishing and managing a ransomware framework include:
A 2021 report in SecurityBrief found that more than 8 in 10 businesses are worried that their existing security tools don’t work at all—or have only limited functions—in the cloud, which explains why cloud security is a major concern at 75% of enterprises. Many companies have responded to these concerns by seeking to offload much of the risk and responsibility for cloud computing by outsourcing to third-party cloud vendors.
However, corporate legal professionals should be mindful of key data protection issues that companies typically address in their cloud computing contracts including, for example:
A complex web of laws such as HIPAA, The Patriot Act and the General Data Protection Regulation (GDPR) have forced in-house counsel to prioritize cybersecurity compliance—and now a new generation of compliance requirements imposed by various states is coming online.
The most daunting of these is the California Privacy Rights Act (CPRA), which was the subject of a recent LexisNexis® webinar for in-house counsel. These increased regulatory requirements are especially burdensome for direct-to-consumer businesses. “Protecting our customers’ data is a top priority for us,” said Jill Savage, general counsel at subscription box company Misfits Market, in an interview with Law360. “But complying with the growing patchwork of state laws really does present a continued challenge for GCs of consumer-facing companies.”
Additional cybersecurity risk management resources, including practice notes, templates and checklists, are available to LexisNexis subscribers. To access these resources, start a Lexis+ free trial today.