After a two-week trial, and just four hours of jury deliberations, Sam Bankman-Fried was found guilty on seven counts of fraud and conspiracy on November 2 nd for his role in the collapse of cryptocurrency...
How AI Can Assist Lawyers with Client Correspondence The legal industry has now moved past the hype surrounding the emergence of generative artificial intelligence (AI) technology as we dive into practical...
How Generative AI Can Enhance Legal Research Responsibly Legal professionals are now moving beyond the initial hype surrounding generative artificial intelligence (AI) technology and taking a clear-eyed...
Summary: Developing a Strong Antitrust Foundation Cost-Effective Risk Assessment Leveraging Agency Precedent for Smaller Clients Building Relationships with Specialists Avoiding Small Firm...
The convergence of cybersecurity and cyber technology is an important issue in the fast-changing world of healthcare, where cutting-edge technology enhances patient care and research. The healthcare sector...
By Barbara W. Reece | LexisNexis Practical Guidance
The constant risk of enterprise data security threats has been keeping in-house counsel on their toes for years now, but unfortunately GCs do not appear to be realizing any greater confidence in their organizational preparations.
The level of preparedness to handle cyberattacks declined for the third consecutive year in a 2021 survey of general counsel, according to a report from Law360 Pulse, and nearly half of GCs identified data protection and security as an expanding area of risk to their organizations.
These findings are consistent with what counterparts in the corporate tech profession have previously expressed. One survey by IDG Research Services found that roughly 78% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks.
Data security risks are ubiquitous. Nearly 9 in 10 organizations have already experienced an attempted exploit of an existing vulnerability, according to a recent Check Point Research Security Report, and new threats are reported daily at nearly every major company in the world.
While other executives in the company are tasked with mitigating risks of breaches, in-house counsel are in a unique position to oversee the mitigation of legal and compliance risks associated with data security intrusions.
“The role of internal counsel is to use internal and external resources to become knowledgeable conductors of the data security symphony their company must play for regulators, customers, vendors and competitors,” writes Holly K. Towle of K&L Gates LLP. “A conductor who can glean — directly or indirectly through section chairs — the business, data flows and laws governing each of the sections making up the company’s orchestra has the best chance of creating the most compliant data security symphony.”
To help in-house counsel be the best conductors they can be, here are 10 steps that GCs can take to minimize data security risks, drawn from an article by LexisNexis contributors Matthew D. Dunn and Melissa J. Erwin, of Carter Ledyard & Milburn LLP:
1. Know the law
Understand the applicable laws, regulations, and guidance relating to data protection and cybersecurity by consulting with legal specialists or otherwise. Executives and board members should also have general knowledge of these matters and access to experts within or outside the organization.
2. Conduct risk assessments
Organizational risk assessments should be conducted and periodically updated. Identify and address the company’s specific cyber and data protection risks to avoid the consequences and costs associated with a data breach. GCs should know what types of data the organization has and how it is protected.
3. Ensure policies are followed
Make sure that the organization has robust cybersecurity and data protection and privacy policies tailored to the organization’s specific risk profile that are implemented and followed. Officers and directors should also be familiar with these policies. In-house counsel should educate board members on cybersecurity policies and guidelines that demonstrate reasonable information security procedures and implementation of data protection standards.
4. Build compliance culture
Build compliance into the governance structure. Consider whether the corporate board should have a committee that oversees cybersecurity and data protection issues. Consider appointing a chief information security officer, if you do not have one already. Ensure that the organization has personnel charged with implementing and enforcing cybersecurity policies and procedures.
5. Regular infrastructure audits
Review the technology infrastructure for data security and information management and ensure that it is current and updated regularly (anti-virus and anti-malware software, encryption, etc.). Obtain a report from the chief information officer or IT director. Consider requiring cybersecurity updates as part of the agenda at executive team meetings.
6. Do live-action exercises
Ensure that the organization has an adequate cyber incident response plan, and that it is updated and practiced. Organizations should conduct cyber breach exercises and penetration tests.
7. Review disclosures
For public companies, ensure that there are effective disclosure controls and procedures that enable the organization to make accurate and timely disclosures relating to cybersecurity. Ensure that public filings adequately address cybersecurity risks, policies, oversight, and incidents.
8. Assess employee training
Ensure that there is employee training and education on cyber and data protection policies and the identification of red flags.
9. Perform third-party due diligence
Conduct risk assessment of third-party vendors. Ensure that vendors with access to the organization’s data have adequate cybersecurity and privacy policies to protect such data.
10. Evaluate all insurance coverages
Review and assess insurance coverage for data breaches and cyber-related incidents and consider separate cybersecurity insurance. Review and assess whether directors’ and officers’ insurance covers cybersecurity-related liability.
The complex legal and regulatory landscape that governs corporate data security risks necessitates a smart approach to compliance and legal risk management. The GC is the corporate executive best suited for this important responsibility. For more information on how to minimize data security risks, click here to download a free Data Breach Avoidance and Response Plan Checklist.
Additional cybersecurity risk management resources, including practice notes, templates, and checklists, are available to LexisNexis subscribers.