5 cybersecurity questions in-house counsel should consider in light of the Sony breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/02/19/5-cybersecurity-questions-in-house-counsel-should

In the wake of the much publicized North Korean cyber-attacks against Sony
— as well as recent favorable rulings for the plaintiffs in class action
lawsuits pending against Target —  cybersecurity is at the forefront of
many corporate boards’ and general counsels’ agendas for the coming year.
The focus is only likely to increase in light of the legislative proposals
recently announced by President Obama and featured in his State of the
Union address. Here are five foundational questions that every in-house
counsel should understand when evaluating his or her organization’s legal
and business cybersecurity risk profile:

1. What actions has your company taken to reduce the likelihood and impact
of potential cyber intrusions?

Many companies implement controls that focus on protecting their networks
and systems against incursions by external attackers, but they have less
developed approaches to security once an attacker gets into the network.
Such an approach may not adequately safeguard the “crown jewels” of a
company’s enterprise, including valuable trade secrets, sensitive personal
information, financial information, business plans and health records.
Indeed, given the multiple potential sources for compromise, a more
comprehensive approach that develops heightened security controls around
the most sensitive data and assets is essential to reduce the risk to the
organization.

This is important not only for managing the business risks associated with
cybersecurity, but also reducing exposure to legal risks; business
partners, regulators and other finders of fact may all increasingly
consider such a defense-in-depth approach to security a necessary and
reasonable standard of care. In turn, counsel can play an important role in
working with internal IT and security experts and other critical business
functions to develop an appropriate data classification approach and ensure
that the most sensitive data and assets receive heightened protection.

2. Has your company established and tested an incident response plan?

A critical aspect of minimizing the costs of potential incidents is
preparing for them in advance. This requires the development and
maintenance of a written incident response plan as part of an overall
information security program and testing the plan through simulations,
including table top exercises that bring together key officers from that
multiple functions and disciplines that are relevant to breach response
(e.g., CIO/IT, security, legal, finance, HR, business units, etc.). Such a
plan ultimately will not be a precise script for when an incident occurs,
but it will help ensure that the right team and procedures have been
identified in advance.

This is important not only to help expedite a response, but also to address
regulatory risks and ensure that the company can be prepared to preserve
applicable legal privileges in the event of a breach. If a breach becomes
subject to regulatory scrutiny, the company will need to demonstrate that
it had a reasonable plan in place to address incidents and made a good
faith effort to follow that plan.

3. What resources are in place to assist incident response?

If an organization experiences a cybersecurity incident, it is often
required to draw on multiple resources and address the interests of various
constituents. For example, it frequently is necessary to engage external
forensic firms to collaborate with the in-house incident response team and
help develop the remediation plan. Efforts to stay in front of an incident
may also involve a public communications strategy and, in turn, engaging
with public relations consultants to assist with a company’s notifications
and responses to media and customer inquiries. These engagements can be
crucial to an effective incident response; equally crucial, they should be
structured in a manner that helps preserve privileges while still allowing
the experts to optimize the assistance they can provide. The most effective
incident response plans identify the potential additional resources before
an incident occurs and contemplate how such resources will be engaged upon
the occurrence of an incident, including the extent to which legal
privileges may attach to the work of the consultants.

Law enforcement and a company’s board of directors are other constituents
that may become involved in cybersecurity incidents. These interests may
have particular interests and perspectives, which should be understood when
calibrating when and how to involve them in an incident response. In turn,
having counsel who understand the interest of law enforcement officials and
have experience in addressing and managing those interests, and who also
can present credibly to the board of directors, can be an invaluable aspect
of an effective and timely incident response.

4. Do your company’s insurance policies cover data security incidents?

Another important aspect of cyber risk management is to ensure that the
company’s insurance policies provide the strongest possible basis to
recover the potentially significant costs and liabilities associated with
cyber incidents. Too often, companies that suffer significant breaches are
scrambling to determine whether the incident may be covered by insurance
policies. The time to conduct the insurance coverage review, and to update
policies, if necessary, is now, before the crisis hits.

5. Is your company prepared for litigation arising out of a cybersecurity
incident?

Cybersecurity incidents increasingly result in class action litigation. The
plaintiffs’ bar often takes a “kitchen sink” approach to these lawsuits,
asserting various theories of liability in an attempt to see what may stick
for discovery. Among other claims, these lawsuits often allege:

1. Violations of federal securities laws (for publicly traded companies)
2. Breaches of agreements to protect personal information
3. Other breach of contract claims
4. Various state tort-law claims, including negligence and fraud or
misrepresentation claims
5. State-law claims based on the failure to provide reasonable security for
personal information
6. State-law claims based on the failure to provide timely notice of a data
breach
7. State-law claims based on “deceptive” or “unfair” trade practices.

To help address the risks associated with such lawsuits, it is prudent for
internal counsel to understand the nature of these claims and to identify
potential resources to assist in defending against such claims in the event
of an incident. To this end, the counsel to a company — both internal and
external — should be fully apprised of its data handling and privacy
practices, as well as its infrastructure and potential risks, before any
incident, so that if it ever becomes necessary to defend against a lawsuit,
counsel guiding the company already are well-informed on key factual
aspects of the matter.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!