GCs As Firewalls: Three Familiar Roles That Place General Counsel Squarely At The Cybersecurity Table

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.metrocorpcounsel.com/articles/29812/gcs-firewalls-three-familiar-roles-place-general-counsel-squarely-cybersecurity-table

Cyber breaches can affect every function of an organization and, as a
result, cripple it. Just as firewalls protect a network, general counsel
can serve as a buffer to help protect an organization from cyber threats.
The myriad roles played by today’s general counsel position them as a
logical and practical approach for an organization’s cybersecurity
management, mitigation and defense.

The analogy of general counsel as firewalls recognizes the evolving role of
a company’s top lawyer in cybersecurity. A firewall is part of the
perimeter defense of a network. It fails its essential function if it
analyzes incoming data after entry.

Similarly, the many hats of a company’s general counsel uniquely position
them as critical participants in the identification, assessment and
response to cybersecurity and data protection risks. Like firewalls on a
network system, GCs can protect and strengthen the organization against
ubiquitous cyber risks.

Operating within today’s complex business and legal environments, few
general counsel have a static role within an organization. Rather, most
general counsel serve many functions, including: 1) legal advisor within
the corporation to its constituents; 2) officer of the corporation and
member of the senior executive team; 3) administrator of the corporation’s
internal legal department; and 4) agent of the corporation in dealings with
third parties, including external or outside counsel retained by the
corporation.[2]
<http://www.metrocorpcounsel.com/articles/29812/gcs-firewalls-three-familiar-roles-place-general-counsel-squarely-cybersecurity-table#_ftn2>

These roles, among others, position general counsel at the apex of an
organization’s preparation and response to legal and business risks. A
brief examination of three common areas of general counsel responsibility
– enterprise risk management, legal advisor across organizational lines and
top legal defender of the organization – demonstrate why general counsel
are invaluable participants in the development and implementation of a
proactive cybersecurity strategy.
*General Counsel As Enterprise Risk Manager*

Most general counsel already assess the risks facing their organization and
develop response strategies for those risks.  They know how to leverage
experience, historical knowledge, internal and external counsel, internal
relationships with management and other organization constituents to
identify, quantify and strategize ways to avoid corporate risks before
crises evolve.

In detailing key cyber risk management concepts, a bulletin published by
the United States Department of Homeland Security (DHS) states: “*Cybersecurity
is NOT implementing a checklist of requirements; rather it is managing
cyber risks to an acceptable level. Managing cybersecurity risk as part of
an organization’s governance, risk management, and business continuity
frameworks provides the strategic framework for managing cybersecurity risk
throughout the enterprise.”[3]
<http://www.metrocorpcounsel.com/articles/29812/gcs-firewalls-three-familiar-roles-place-general-counsel-squarely-cybersecurity-table#_ftn3>*

The DHS bulletin further advises organizations that using a “*risk-based
approach to apply [industry] cybersecurity standards and practices allows
for more comprehensive and cost effective management of cyber risks than
compliance activities alone.*” [4]
<http://www.metrocorpcounsel.com/articles/29812/gcs-firewalls-three-familiar-roles-place-general-counsel-squarely-cybersecurity-table#_ftn4>

As an enterprise-focused risk manager, general counsel can assess the
legal, business and organizational risks that are attendant with cyber
dangers. Moreover, general counsel can spot those issues related to a
proactive cyber risk assessment and reduce the likelihood of compromising
privilege or opening the door to future litigation. General counsel also
will recognize if or when external experts, such as outside counsel, may be
needed as part of the strategic planning process.
*General Counsel As Collaborator*

Building a collaborative environment within the organization creates the
ideal situation when tackling cybersecurity issues. In the event of a
significant data breach, major divisions of an organization may be at risk.
If such a breach occurs, key decision makers must quickly get to the table
– prepared to manage and respond.

An integrated, multidisciplinary team, therefore, is necessary to deal with
the issues that may arise. In most organizations, cybersecurity and data
protection have long been the domain of the IT department. But, the
complicated nature of cybersecurity and data protection, and the high
revenue, reputational and litigation costs that can result from a
significant data breach, demands an inclusive team approach to cyber risks.
A general counsel and internal legal staff regularly provide legal and
business advice to numerous clients throughout the organization. Thus,
general counsel can assist in breaking down organizational silos that could
stymie effective cybersecurity and data protection strategies. GCs can help
align the relevant business, security, governance, financial, regulatory,
compliance and legal interests.

This collaborative approach ensures that the organization’s cybersecurity
practices are tailor-made for the organization, and not just a
one-size-fits-all strategy. It also ensures that key decision makers, i.e.,
CIO, chief security officer, IT head and compliance officer, are engaged. *(For
a discussion on the roles of the compliance officer and general counsel,
see the accompanying article in this issue entitled,  “General Counsel and
Chief Compliance Officer Collaboration Critical to Mitigate Cybersecurity
Risks,“ written by Susan Asam.)*
*General Counsel As Defender*

Not surprisingly, the proliferation of cyber crimes has raised the stakes
on the litigation landscape. Although class actions and other litigation
arising from data breach incidents are nothing new, the recent high-profile
data breach cases have raised the ante, and litigation against companies
has exploded. Potential claims for data breach issues range from state data
breach notification laws, state unfair and deceptive trade practices laws,
negligence, and breach of fiduciary duty to violations under Fair Credit
Reporting Act and the Federal Trade Commission (FTC). These causes of
action draw upon numerous state and federal statutory, tort and contractual
laws.

State attorneys general and federal agencies also have brought suits
against companies following major data breaches. Central among the issues
raised are notification of the breach and the “reasonableness” of
pre-breach and post-breach cybersecurity and protection measures.  In*Wyndham
v. FTC*, for example, the FTC alleged that the hotel franchiser failed to
provide reasonable and appropriate data security to prevent the
unauthorized access of customers’ sensitive personal information.[5]
<http://www.metrocorpcounsel.com/articles/29812/gcs-firewalls-three-familiar-roles-place-general-counsel-squarely-cybersecurity-table#_ftn5>

There is no argument that it makes sense for general counsel to assess
litigation risks and devise strategies after a major data breach has
occurred. However, long before that initial breach, the general counsel can
provide a critical roadmap for the mitigation of and the defense against
claims. Throughout the cyber risk and cyber defense planning process, a
general counsel  will be cognizant of the necessity to protect information
(privilege), whether the company is meeting the industry standard of care,
whether the company is acting with reasonableness, the reputation/brand
risks and risks related to third party’s access to internal information.
*Conclusion*

The myriad ways in which they already serve their clients translates into a
“must-have” place for general counsel at the cybersecurity and data
protection table. Organizations will be better positioned to prevent or
mitigate the legal and business risks attendant with cyber risks if GCs are
at the strategy planning table early and often.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!