Cybersecurity Best Practices — How General Counsel Can Prepare For The Worst

  • Home
  • Legal
  • Cybersecurity Best Practices — How General Counsel Can Prepare For The Worst

Take note GCs: The question is not if you will have to respond to a cybersecurity incident—the question is when. That was the message from speakers and panelists at the Association of Corporate Counsel’s annual meeting this year.

Indeed, the majority of all U.S. businesses have experienced at least one cybersecurity incident in the last year, with some estimates as high as 80%. And a data breach involving so-called knowledge assets (confidential business information) costs an average of $5.4 million to resolve, up to a maximum of $270 million for the largest breaches.

The good news for GCs is that having a well-designed response plan in place can lower the risk of a breach and greatly minimize the damage if a breach occurs. Some best practices discussed at the ACC meeting, and elsewhere, are worth considering:

Best Practices

  • Cultivate close relationships with IT directors to make it more likely that GCs are contacted in the event of a breach or crisis.
  • Extend the relationships to as many IT employees as possible to overcome the personal responsibility that some employees feel when a breach occurs.
  • Evaluate and routinely measure employee security training levels.
  • Meet with as many relevant departments as possible to assess the specific risks and issues that could arise if/when a breach occurs.
  • Conduct a thorough survey of the data collected by the organization, focusing on employee, consumer, medical, and financial data, and determine if any data does not need to be stored.
  • Critically examine contracts and breach procedures of existing vendors that are privy to sensitive data or have access to internal systems.
  • Perform vendor due diligence before committing to any new contractual relationships and consider requiring vendors to fill out a questionnaire indicating their experience and policies with data breaches, training level of their employees, and general control procedures for sensitive data.
  • For vendors that have access to critical information, consider requiring the vendors to provide independent third-party security assessments or audits.
  • Create a standard data privacy and security addendum that can be attached to vendor contracts (which are usually drafted by vendors) to ensure that the organization’s data is being protected and include risk allocation provisions that apply should the vendor be subject to or lead to a breach.
  • Monitor relationships with vendors to ensure continued compliance with contract provisions, applicable laws, regulations, and industry standards. Further, ensure that once the relationship ends, the vendor destroys or returns company data as appropriate.
  • Document the plan. Create a list of policies and procedures to be followed if there is an incident, and include clearly defined roles and individuals who need to be contacted.
  • Make sure to focus on the immediate aftermath of a breach — the first 48 hours being most critical — and ensure that internal and external communications keep stakeholders apprised as the situation develops.
  • Consider working with a public relations firm to develop consistent messaging that can be efficiently communicated in a crisis.
  • Create an internal response team, including members of management, IT, legal, and public relations that can quickly decide remedial steps and appropriate communication.
  • Consider the company’s overall insurance program and whether cyber risks are covered.

Authors

Matthew J. SiegelMember, Cozen O’Connor
Ethan Price-LivingstonAssociate, Cozen O’Connor

Cozen O'Connor
http://cozen.com

Ranked among the top 100 law firms in the country, Cozen O’Connor has more than 800 attorneys in 31 cities across two continents. We are a full-service firm with nationally recognized practices in litigation, business law, and government relations, and our attorneys have experience operating in all sectors of the economy. Our diverse client list includes global Fortune 500 companies, middle-market firms poised for growth, ambitious startups, and high-profile individuals. In an industry built on talk, Cozen O’Connor has made its name by doing. We have built our firm one case, one victory at a time. Our attorneys have impeccable academic credentials and are able to combine intellectual rigor with practicality and efficiency. We provide sophisticated, business-minded advice aimed at one simple goal: getting the right result for our clients. No matter how complex, contentious, or critical the undertaking, we persevere until the job is done. What you’ve built, we can defend. What you envision, we can help construct.



Leave a Reply

Your email address will not be published. Required fields are marked *