BreachExchange mailing list archives
GCs Play Growing Role in Managing 'Super Risk' Issue of Cybersecurity
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 3 Feb 2015 19:07:01 -0700
http://www.thelegalintelligencer.com/id=1202716818302/GCs-Play-Growing-Role-in-Managing-Super-Risk-Issue-of-Cybersecurity?slreturn=20150102210539 As general counsel combat the constant threat of data breaches, their companies' information security officers are the most likely colleagues on speed dial. But with breaches viewed as almost inevitable, law firms also play a critical role in helping general counsel navigate a patchwork of state laws and how to handle fallout when information is compromised. "You can almost assume you will get attacked and infiltrated. Everybody does," said a utility company general counsel who wanted to remain anonymous. "The question is how do you recover from that." This general counsel wasn't alone in not wanting to be named or, in some cases, even talk about cybersecurity issues out of fear hackers would want to test the company's proclaimed security measures. While cybersecurity issues began years ago as one of many risks a board of directors had to manage, the issues faced by companies like Sony and Target have turned cybersecurity into a "super risk," the general counsel said. "It's now treated at a governance level with the board of directors not just as another risk, but an issue unto itself," the GC said. Lincoln Financial Group General Counsel Adam G. Ciongoli said challenges often come in trends and the focus on certain issues typically wane over time. But he said cybersecurity was an issue that wasn't going anywhere anytime soon. While generally not a defeatist, Ciongoli said he views the issue as "a constant game of cat and mouse." While enforcement is important, as long as there is a way to make money out of this, hackers will find a way around the changing technology, he said. "It's virtual. You're stealing zeros and ones out of the air," Ciongoli said, noting the difficulty in combating global cyberattacks. Ciongoli said one would be hard-pressed to find a general counsel who hasn't worked at a company where a breach occurred or knew a general counsel who did. That theory was given some credence by an Association of Corporate Counsel survey released last week that found, of the 1,289 chief legal officers surveyed, 27 percent work at organizations that experienced a data breach. And the odds of a breach go up depending on a company's revenue and industry. The likelihood of a breach increased to more than 50 percent among companies with more than $4 billion in revenue, according to the survey. And while chief legal officers from the telecommunications, transportation, professional services and educational services industries all reported their companies had experienced data breaches at higher than average rates, health care led all industries in data breach prevalence. According to the survey, 49 percent of health care industry CLOs said their companies experienced breaches since 2012. "Thwarting and responding to breaches of corporate data is increasingly a reality for today's GCs and CLOs," said Veta T. Richardson, ACC president and CEO. "As attempted data breaches become more sophisticated, the CLO will play a growing role in cybersecurity strategy, risk assessment and prevention." Ciongoli said he has a very close relationship with his company's head of information security given the work the two do implicate each other's departments. "The responsibility for making sure that we are as impenetrable as possible lies with technical experts, not legal or compliance people," Ciongoli said. "The responsibility for making sure that we have policies and procedures to address how people have to treat information or what to do if they don't treat it properly or if we have a breach is a compliance issue and in some instances a legal issue." The utility company GC said the role of information security in corporations is undergoing a similar review that compliance functions went through over the past few years. As companies grappled with whether compliance should be separate from a company's legal function for independence reasons, the GC said companies are similarly debating whether the head of information security should be in a company's IT department or on its own. At this utility, the chief information security officer is housed in a separate department, reports directly to the company's audit committee and has its own budget apart from the IT budget. Moji James joined Iroko Pharmaceuticals as its general counsel in 2012, when the "mature startup" was five years old. It didn't have any privacy policies in place and hired outside counsel and a technology vendor to help create one. James said the pharmaceutical industry is a "laggard" when it comes to cybersecurity issues because it doesn't have the customer data that a financial institution or retail chain may have. But there are significant concerns, she said, about protecting intellectual property and creating policies to ensure trade secrets, which aren't patented, can be legally protected. James said she also works closely with the company's in-house IT staff as well as the outside vendor. Because Iroko is a smaller company with limited resources, it has to focus its risk management efforts but also rely on outside assistance in managing cybersecurity risks. For James, a law firm with insights from across industries as well as a global reach was critical given cybersecurity risks often emanate from beyond U.S. borders. Ronald Prague, GC of software and cloud-storage company Synchronoss Technologies Inc., of Bridgewater, N.J., said he has to ensure the information his company keeps is compliant not only with U.S. rules, but with rules in foreign jurisdictions where the company does business. Typically, Synchronoss' two-member legal department will perform a cursory review. Some firms have "off-the-shelf memos" on privacy and data-security laws, "but that's definitely not enough," Prague said. "Law firms are very willing to have you on their listserv," he added. "They want the business, [so] they make sure they keep everybody abreast." Sometimes only a consult with outside counsel is necessary. "These people are experts, so you pay a large amount per hour," but the expense is reasonable if the engagements are limited, Prague said. And "in jurisdictions where we do business, we have local counsel," he added. One in-house attorney at a New Jersey-based company—who spoke on the condition of anonymity—said, "It would be cost-prohibitive to hire counsel in every single place. ... We only turn to outside counsel when we absolutely don't have the expertise and there's real risk involved." Herbert Moore Jr. is senior counsel at ff Venture Capital (ffVC), a fund that invests in technology startups. He said his company uses Proskauer Rose and McCarter & English as outside counsel for tasks such as document drafting and compliance, as well as vetting investment companies and the investors themselves who bankroll the funds because ffVC is concerned not only with its own data security, but with that of the companies in which it invests. "The firms are starting to see this ... potentially as a niche area but for the most part the cybersecurity is driven from an IT perspective and not a legal perspective," the utility company GC said. "There is some level of resources out there, [but] I don't think they are in law firms." However, in order to move quickly if a breach occurs, outside counsel should be on retainer and in a position to handle hiring of remediation consultants, so there's a work-product privilege blanketing the breach response, the GC said. And while that GC doesn't view law firms as the best resource on the topic, the GC advises law students and young lawyers to focus on cybersecurity and compliance issues because it is still a relatively new practice, having developed in firms in only the last five years or so. There are certainly a number of law firms that advertise data privacy practices. Ciongoli said there is value in going to outside law firms that have a better sense of best practices and what is happening across the 50 states, each with their own data privacy laws. While some companies can afford to have a data privacy law expert in-house, most cannot, Ciongoli said. "I think this is an area where the market is being really efficient," Ciongoli said, adding later, "At some point [the cybersecurity market will] probably get a little over-saturated and it will scale back, but this is a fertile area."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- GCs Play Growing Role in Managing 'Super Risk' Issue of Cybersecurity Audrey McNeil (Feb 09)