BreachExchange mailing list archives
5 cybersecurity questions in-house counsel should consider in light of the Sony breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 19 Feb 2015 19:05:16 -0700
http://www.insidecounsel.com/2015/02/19/5-cybersecurity-questions-in-house-counsel-should In the wake of the much publicized North Korean cyber-attacks against Sony — as well as recent favorable rulings for the plaintiffs in class action lawsuits pending against Target — cybersecurity is at the forefront of many corporate boards’ and general counsels’ agendas for the coming year. The focus is only likely to increase in light of the legislative proposals recently announced by President Obama and featured in his State of the Union address. Here are five foundational questions that every in-house counsel should understand when evaluating his or her organization’s legal and business cybersecurity risk profile: 1. What actions has your company taken to reduce the likelihood and impact of potential cyber intrusions? Many companies implement controls that focus on protecting their networks and systems against incursions by external attackers, but they have less developed approaches to security once an attacker gets into the network. Such an approach may not adequately safeguard the “crown jewels” of a company’s enterprise, including valuable trade secrets, sensitive personal information, financial information, business plans and health records. Indeed, given the multiple potential sources for compromise, a more comprehensive approach that develops heightened security controls around the most sensitive data and assets is essential to reduce the risk to the organization. This is important not only for managing the business risks associated with cybersecurity, but also reducing exposure to legal risks; business partners, regulators and other finders of fact may all increasingly consider such a defense-in-depth approach to security a necessary and reasonable standard of care. In turn, counsel can play an important role in working with internal IT and security experts and other critical business functions to develop an appropriate data classification approach and ensure that the most sensitive data and assets receive heightened protection. 2. Has your company established and tested an incident response plan? A critical aspect of minimizing the costs of potential incidents is preparing for them in advance. This requires the development and maintenance of a written incident response plan as part of an overall information security program and testing the plan through simulations, including table top exercises that bring together key officers from that multiple functions and disciplines that are relevant to breach response (e.g., CIO/IT, security, legal, finance, HR, business units, etc.). Such a plan ultimately will not be a precise script for when an incident occurs, but it will help ensure that the right team and procedures have been identified in advance. This is important not only to help expedite a response, but also to address regulatory risks and ensure that the company can be prepared to preserve applicable legal privileges in the event of a breach. If a breach becomes subject to regulatory scrutiny, the company will need to demonstrate that it had a reasonable plan in place to address incidents and made a good faith effort to follow that plan. 3. What resources are in place to assist incident response? If an organization experiences a cybersecurity incident, it is often required to draw on multiple resources and address the interests of various constituents. For example, it frequently is necessary to engage external forensic firms to collaborate with the in-house incident response team and help develop the remediation plan. Efforts to stay in front of an incident may also involve a public communications strategy and, in turn, engaging with public relations consultants to assist with a company’s notifications and responses to media and customer inquiries. These engagements can be crucial to an effective incident response; equally crucial, they should be structured in a manner that helps preserve privileges while still allowing the experts to optimize the assistance they can provide. The most effective incident response plans identify the potential additional resources before an incident occurs and contemplate how such resources will be engaged upon the occurrence of an incident, including the extent to which legal privileges may attach to the work of the consultants. Law enforcement and a company’s board of directors are other constituents that may become involved in cybersecurity incidents. These interests may have particular interests and perspectives, which should be understood when calibrating when and how to involve them in an incident response. In turn, having counsel who understand the interest of law enforcement officials and have experience in addressing and managing those interests, and who also can present credibly to the board of directors, can be an invaluable aspect of an effective and timely incident response. 4. Do your company’s insurance policies cover data security incidents? Another important aspect of cyber risk management is to ensure that the company’s insurance policies provide the strongest possible basis to recover the potentially significant costs and liabilities associated with cyber incidents. Too often, companies that suffer significant breaches are scrambling to determine whether the incident may be covered by insurance policies. The time to conduct the insurance coverage review, and to update policies, if necessary, is now, before the crisis hits. 5. Is your company prepared for litigation arising out of a cybersecurity incident? Cybersecurity incidents increasingly result in class action litigation. The plaintiffs’ bar often takes a “kitchen sink” approach to these lawsuits, asserting various theories of liability in an attempt to see what may stick for discovery. Among other claims, these lawsuits often allege: 1. Violations of federal securities laws (for publicly traded companies) 2. Breaches of agreements to protect personal information 3. Other breach of contract claims 4. Various state tort-law claims, including negligence and fraud or misrepresentation claims 5. State-law claims based on the failure to provide reasonable security for personal information 6. State-law claims based on the failure to provide timely notice of a data breach 7. State-law claims based on “deceptive” or “unfair” trade practices. To help address the risks associated with such lawsuits, it is prudent for internal counsel to understand the nature of these claims and to identify potential resources to assist in defending against such claims in the event of an incident. To this end, the counsel to a company — both internal and external — should be fully apprised of its data handling and privacy practices, as well as its infrastructure and potential risks, before any incident, so that if it ever becomes necessary to defend against a lawsuit, counsel guiding the company already are well-informed on key factual aspects of the matter.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- 5 cybersecurity questions in-house counsel should consider in light of the Sony breach Audrey McNeil (Feb 26)