“Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary Internet traffic. Firewalls can be configured to block data from certain locations while allowing the relevant and necessary data through.”[1]
Cyber breaches can affect every function of an organization and, as a result, cripple it. Just as firewalls protect a network, general counsel can serve as a buffer to help protect an organization from cyber threats. The myriad roles played by today’s general counsel position them as a logical and practical approach for an organization’s cybersecurity management, mitigation and defense.
The analogy of general counsel as firewalls recognizes the evolving role of a company’s top lawyer in cybersecurity. A firewall is part of the perimeter defense of a network. It fails its essential function if it analyzes incoming data after entry.
Similarly, the many hats of a company’s general counsel uniquely position them as critical participants in the identification, assessment and response to cybersecurity and data protection risks. Like firewalls on a network system, GCs can protect and strengthen the organization against ubiquitous cyber risks.
Operating within today’s complex business and legal environments, few general counsel have a static role within an organization. Rather, most general counsel serve many functions, including: 1) legal advisor within the corporation to its constituents; 2) officer of the corporation and member of the senior executive team; 3) administrator of the corporation’s internal legal department; and 4) agent of the corporation in dealings with third parties, including external or outside counsel retained by the corporation.[2]
These roles, among others, position general counsel at the apex of an organization’s preparation and response to legal and business risks. A brief examination of three common areas of general counsel responsibility – enterprise risk management, legal advisor across organizational lines and top legal defender of the organization – demonstrate why general counsel are invaluable participants in the development and implementation of a proactive cybersecurity strategy.
General Counsel As Enterprise Risk Manager
Most general counsel already assess the risks facing their organization and develop response strategies for those risks. They know how to leverage experience, historical knowledge, internal and external counsel, internal relationships with management and other organization constituents to identify, quantify and strategize ways to avoid corporate risks before crises evolve.
In detailing key cyber risk management concepts, a bulletin published by the United States Department of Homeland Security (DHS) states: “Cybersecurity is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cybersecurity risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cybersecurity risk throughout the enterprise.”[3]
The DHS bulletin further advises organizations that using a “risk-based approach to apply [industry] cybersecurity standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.” [4]
As an enterprise-focused risk manager, general counsel can assess the legal, business and organizational risks that are attendant with cyber dangers. Moreover, general counsel can spot those issues related to a proactive cyber risk assessment and reduce the likelihood of compromising privilege or opening the door to future litigation. General counsel also will recognize if or when external experts, such as outside counsel, may be needed as part of the strategic planning process.
General Counsel As Collaborator
Building a collaborative environment within the organization creates the ideal situation when tackling cybersecurity issues. In the event of a significant data breach, major divisions of an organization may be at risk. If such a breach occurs, key decision makers must quickly get to the table – prepared to manage and respond.
An integrated, multidisciplinary team, therefore, is necessary to deal with the issues that may arise. In most organizations, cybersecurity and data protection have long been the domain of the IT department. But, the complicated nature of cybersecurity and data protection, and the high revenue, reputational and litigation costs that can result from a significant data breach, demands an inclusive team approach to cyber risks. A general counsel and internal legal staff regularly provide legal and business advice to numerous clients throughout the organization. Thus, general counsel can assist in breaking down organizational silos that could stymie effective cybersecurity and data protection strategies. GCs can help align the relevant business, security, governance, financial, regulatory, compliance and legal interests.
This collaborative approach ensures that the organization’s cybersecurity practices are tailor-made for the organization, and not just a one-size-fits-all strategy. It also ensures that key decision makers, i.e., CIO, chief security officer, IT head and compliance officer, are engaged. (For a discussion on the roles of the compliance officer and general counsel, see the accompanying article in this issue entitled, “General Counsel and Chief Compliance Officer Collaboration Critical to Mitigate Cybersecurity Risks,“ written by Susan Asam.)
General Counsel As Defender
Not surprisingly, the proliferation of cyber crimes has raised the stakes on the litigation landscape. Although class actions and other litigation arising from data breach incidents are nothing new, the recent high-profile data breach cases have raised the ante, and litigation against companies has exploded. Potential claims for data breach issues range from state data breach notification laws, state unfair and deceptive trade practices laws, negligence, and breach of fiduciary duty to violations under the Fair Credit Reporting Act and Federal Trade Commission (FTC) policies. These causes of action draw upon numerous state and federal statutory, tort and contractual laws.
State attorneys general and federal agencies also have brought suits against companies following major data breaches. Central among the issues raised are notification of the breach and the “reasonableness” of pre-breach and post-breach cybersecurity and protection measures. In Wyndham v. FTC, for example, the FTC alleged that the hotel franchiser failed to provide reasonable and appropriate data security to prevent the unauthorized access of customers’ sensitive personal information.[5]
There is no argument that it makes sense for general counsel to assess litigation risks and devise strategies after a major data breach has occurred. However, long before that initial breach, the general counsel can provide a critical roadmap for the mitigation of and the defense against claims. Throughout the cyber risk and cyber defense planning process, a general counsel will be cognizant of the necessity to protect information (privilege), whether the company is meeting the industry standard of care, whether the company is acting with reasonableness, the reputation/brand risks and risks related to third party’s access to internal information.
Conclusion
The myriad ways in which they already serve their clients translates into a “must-have” place for general counsel at the cybersecurity and data protection table. Organizations will be better positioned to prevent or mitigate the legal and business risks attendant with cyber risks if GCs are at the strategy planning table early and often.
[1] M. McDowell, M. and A. Householder, US-CERT, United States Computer Emergency Readiness Team, Understanding Firewalls, Security Tip (ST04-004).
[2] See generally Deborah A. DeMott, The Discrete Roles of General Counsel, 74 Fordham L. Rev. 955 (2005).
[3] Department of Homeland Security, DHS, Cypersecurity Questions for CEOs, www.dhs.gov
[4] Id.
[5] Federal Trade Commission v. Wyndham Worldwide Corporation, et al.No.2:13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014).
Published August 22, 2014.