GCs Play Growing Role in Managing 'Super Risk' Issue of Cybersecurity

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thelegalintelligencer.com/id=1202716818302/GCs-Play-Growing-Role-in-Managing-Super-Risk-Issue-of-Cybersecurity?slreturn=20150102210539

As general counsel combat the constant threat of data breaches, their
companies' information security officers are the most likely colleagues on
speed dial. But with breaches viewed as almost inevitable, law firms also
play a critical role in helping general counsel navigate a patchwork of
state laws and how to handle fallout when information is compromised.

"You can almost assume you will get attacked and infiltrated. Everybody
does," said a utility company general counsel who wanted to remain
anonymous. "The question is how do you recover from that."

This general counsel wasn't alone in not wanting to be named or, in some
cases, even talk about cybersecurity issues out of fear hackers would want
to test the company's proclaimed security measures.

While cybersecurity issues began years ago as one of many risks a board of
directors had to manage, the issues faced by companies like Sony and Target
have turned cybersecurity into a "super risk," the general counsel said.

"It's now treated at a governance level with the board of directors not
just as another risk, but an issue unto itself," the GC said.

Lincoln Financial Group General Counsel Adam G. Ciongoli said challenges
often come in trends and the focus on certain issues typically wane over
time. But he said cybersecurity was an issue that wasn't going anywhere
anytime soon. While generally not a defeatist, Ciongoli said he views the
issue as "a constant game of cat and mouse." While enforcement is
important, as long as there is a way to make money out of this, hackers
will find a way around the changing technology, he said.

"It's virtual. You're stealing zeros and ones out of the air," Ciongoli
said, noting the difficulty in combating global cyberattacks.

Ciongoli said one would be hard-pressed to find a general counsel who
hasn't worked at a company where a breach occurred or knew a general
counsel who did.

That theory was given some credence by an Association of Corporate Counsel
survey released last week that found, of the 1,289 chief legal officers
surveyed, 27 percent work at organizations that experienced a data breach.
And the odds of a breach go up depending on a company's revenue and
industry.

The likelihood of a breach increased to more than 50 percent among
companies with more than $4 billion in revenue, according to the survey.
And while chief legal officers from the telecommunications, transportation,
professional services and educational services industries all reported
their companies had experienced data breaches at higher than average rates,
health care led all industries in data breach prevalence. According to the
survey, 49 percent of health care industry CLOs said their companies
experienced breaches since 2012.

"Thwarting and responding to breaches of corporate data is increasingly a
reality for today's GCs and CLOs," said Veta T. Richardson, ACC president
and CEO. "As attempted data breaches become more sophisticated, the CLO
will play a growing role in cybersecurity strategy, risk assessment and
prevention."

Ciongoli said he has a very close relationship with his company's head of
information security given the work the two do implicate each other's
departments.

"The responsibility for making sure that we are as impenetrable as possible
lies with technical experts, not legal or compliance people," Ciongoli
said. "The responsibility for making sure that we have policies and
procedures to address how people have to treat information or what to do if
they don't treat it properly or if we have a breach is a compliance issue
and in some instances a legal issue."

The utility company GC said the role of information security in
corporations is undergoing a similar review that compliance functions went
through over the past few years. As companies grappled with whether
compliance should be separate from a company's legal function for
independence reasons, the GC said companies are similarly debating whether
the head of information security should be in a company's IT department or
on its own. At this utility, the chief information security officer is
housed in a separate department, reports directly to the company's audit
committee and has its own budget apart from the IT budget.

Moji James joined Iroko Pharmaceuticals as its general counsel in 2012,
when the "mature startup" was five years old. It didn't have any privacy
policies in place and hired outside counsel and a technology vendor to help
create one.

James said the pharmaceutical industry is a "laggard" when it comes to
cybersecurity issues because it doesn't have the customer data that a
financial institution or retail chain may have. But there are significant
concerns, she said, about protecting intellectual property and creating
policies to ensure trade secrets, which aren't patented, can be legally
protected.

James said she also works closely with the company's in-house IT staff as
well as the outside vendor.

Because Iroko is a smaller company with limited resources, it has to focus
its risk management efforts but also rely on outside assistance in managing
cybersecurity risks. For James, a law firm with insights from across
industries as well as a global reach was critical given cybersecurity risks
often emanate from beyond U.S. borders.

Ronald Prague, GC of software and cloud-storage company Synchronoss
Technologies Inc., of Bridgewater, N.J., said he has to ensure the
information his company keeps is compliant not only with U.S. rules, but
with rules in foreign jurisdictions where the company does business.

Typically, Synchronoss' two-member legal department will perform a cursory
review. Some firms have "off-the-shelf memos" on privacy and data-security
laws, "but that's definitely not enough," Prague said.

"Law firms are very willing to have you on their listserv," he added. "They
want the business, [so] they make sure they keep everybody abreast."

Sometimes only a consult with outside counsel is necessary. "These people
are experts, so you pay a large amount per hour," but the expense is
reasonable if the engagements are limited, Prague said.

And "in jurisdictions where we do business, we have local counsel," he
added.

One in-house attorney at a New Jersey-based company—who spoke on the
condition of anonymity—said, "It would be cost-prohibitive to hire counsel
in every single place. ... We only turn to outside counsel when we
absolutely don't have the expertise and there's real risk involved."

Herbert Moore Jr. is senior counsel at ff Venture Capital (ffVC), a fund
that invests in technology startups. He said his company uses Proskauer
Rose and McCarter & English as outside counsel for tasks such as document
drafting and compliance, as well as vetting investment companies and the
investors themselves who bankroll the funds because ffVC is concerned not
only with its own data security, but with that of the companies in which it
invests.

"The firms are starting to see this ... potentially as a niche area but for
the most part the cybersecurity is driven from an IT perspective and not a
legal perspective," the utility company GC said. "There is some level of
resources out there, [but] I don't think they are in law firms."

However, in order to move quickly if a breach occurs, outside counsel
should be on retainer and in a position to handle hiring of remediation
consultants, so there's a work-product privilege blanketing the breach
response, the GC said.

And while that GC doesn't view law firms as the best resource on the topic,
the GC advises law students and young lawyers to focus on cybersecurity and
compliance issues because it is still a relatively new practice, having
developed in firms in only the last five years or so.

There are certainly a number of law firms that advertise data privacy
practices.

Ciongoli said there is value in going to outside law firms that have a
better sense of best practices and what is happening across the 50 states,
each with their own data privacy laws. While some companies can afford to
have a data privacy law expert in-house, most cannot, Ciongoli said.

"I think this is an area where the market is being really efficient,"
Ciongoli said, adding later, "At some point [the cybersecurity market will]
probably get a little over-saturated and it will scale back, but this is a
fertile area."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!