Managing cybersecurity risk has become a necessity for boards and C-suite executives, paving a critical role for chief compliance officers in this area. Organizations are also facing increased legal cyber obligations, requiring general counsel to be actively engaged in cybersecurity planning and response activities. What is often overlooked is how a general counsel and chief compliance officer (“CCO”) can streamline their roles to best reduce cyber risks at an organization.
A key aspect of cybersecurity risk mitigation deals with knowing what an organization’s compliance obligations are in order to reasonably protect data and respond as swiftly as possible to a cybersecurity and/or data breach event, whether at the organization or third-party vendor. Cybersecurity events occur at a faster-than-normal pace, thus, efficiency is critical. Even more critical is preparing and responding in such a way that minimizes overlap between organizational roles – not only roles on the technology team, but also roles of those responsible for protecting the organization from legal vulnerabilities: the general counsel and the CCO.
GCs and CCOs are both responsible for making sure that an organization fulfills its compliance obligations. Typically, we think of a CCO as focusing on business-side compliance functions and a GC focusing on legal compliance functions. In large part, however, the mission of both roles is the same – to mitigate overall risk. From a legal standpoint, reasonableness is key when it comes to measuring an organization’s cybersecurity duty of care. GCs and CCOs should be sure to collaborate early during planning and preparedness activities about how the organization’s cybersecurity and data privacy policies and practices, and associated compliance measures, are guided by a standard of reasonableness. In addition, facts demonstrating reasonableness are gathered during a post-breach investigation and are best dealt with under the cloak of attorney-client privilege. To assert privilege over these facts, GCs should lead all activities relating to post-breach investigations and subsequent litigation, also leveraging outside counsel for specialized advice on how to navigate through both. It follows that CCOs are best positioned to lead compliance preparedness and audit activities that occur outside of an actual breach event. A GC and CCO should work together to draft a comprehensive cybersecurity compliance preparedness and response plan to ensure that all responsibilities are defined and that compliance obligations are proactively addressed.
Here is a breakdown of how GC and CCO roles can be divided:
- GC and CCO should jointly draft a cybersecurity compliance preparedness and response plan
- GC and CCO should collaborate during the planning and preparedness phases to ensure that cybersecurity and data privacy practices are guided by a standard of reasonableness
- CCO should be point of contact for cybersecurity compliance outside of breach event
- CCO should be point of contact for cybersecurity auditing outside of breach event
- GC should be post-breach point of contact for breach notification compliance obligations
- GC should be post-breach point of contact for investigations
- GC should be post-breach point of contact for litigation activities
Published August 22, 2014.
