Data Breach Liability

Given the by-now repetitive nature of the cybersecurity storyline, it's fair to ask: Why are large breaches so commonplace? And why do we keep failing in the same ways?

The primary attack vectors haven't really changed, but companies keep succumbing anyway: phishing attacks, failures to lock down sensitive data, and undetected vulnerabilities inside the organization continue to be common themes. While the media tends to focus on the more spectacular external threats from state-sponsored hackers, studies have consistently shown that two-thirds of data breaches originate within the organization. This includes seemingly mundane incidents like lost equipment, insider errors, basic technology failures and ' here's a big one ' failure to properly oversee third-party vendors.

It's not that perimeter defense is no longer important, but time and again enterprises have failed to understand that cybersecurity requires a lot more than the trying to keep hackers out. After all, hackers stand to reap huge financial rewards every time they gain access to private data, so they have strong incentives to get better ' and they very likely will. In fact, there is consensus among cybersecurity experts that most organizations will suffer a breach at some point. It's only a matter of when.

Nonetheless, many companies continue to misallocate security resources, focusing almost exclusively on perimeter protection and neglecting internal controls and monitoring that can happen before breach occurs.

There are plenty of security technology vendors that encourage protection, and in an atmosphere of fear and uncertainty, it's easy for people in the organization to get behind a massive effort to build up perimeter defenses. That may explain why enterprises spend mightily to prevent and detect known threats, even as it becomes increasingly obvious that increased spending has done little to slow the frequency of reported breaches, nor has it diminished their severity. On the other hand, activities like identifying and mitigating internal vulnerabilities, recognizing anomalous user behavior, developing a detailed incident response plan, providing ongoing training to employees and implementing programs that regularly monitor the technology and the processes you have created to deal with threats are much harder to carry out, in part because they require a concerted, collaborative effort by stakeholders across the organization.

The New Partnership Between Legal and IT

Fortunately, things are beginning to change. Departmental silos are gradually breaking down, and leadership is emphasizing increased cooperation and communication. In fact, a new paradigm is emerging in which legal and IT are forging an active and ongoing partnership in the effort to mitigate cyber risk. This has been driven in part by boards and the C-suite, who now look at cybersecurity as a strategic business concern, not just a technical problem. That shift in perspective alone signals a new level of maturity in many companies.

The relationship between legal and IT is now much more collaborative, the meetings between them are more frequent, and much of the focus is on proactive planning. A key topic, naturally, is information security. The two departments are now likely to meet regularly to evaluate risks related to subjects like data collection, storage and management. Vendor management, an area where many organizations have dropped the ball in the past, is also becoming an increasingly important part of the conversation.

The goal of these discussions is to strike the right balance between meeting overall business objectives on one hand and mitigating risk on the other. With regard to cybersecurity, the two departments are likely to begin discussions by conducting an honest and thorough assessment of their alignment. Is there agreement on who is assuming ownership of cybersecurity risk in the company? What are the top data security and privacy risks we currently face?

At the beginning, the two departments may not view the organization's security framework in the same way, and they may not even agree on their respective roles when it comes to responding to an incident. That's why they need to talk. Periodic discussions are likely to lead to more formal activities, like an annual risk assessment (with input from other experts and stakeholders in the organization), and perhaps quarterly meetings to monitor current systems and processes against established best practices, standards and benchmarks.

Regular meetings between legal and IT will help organizations make significant progress in identifying and prioritizing risks. The meetings are also likely to lead to new proactive measures, which may include increased testing of existing safeguards, or the engagement of independent parties to evaluate security programs. They may also result in more formal programs for evaluating and monitoring third parties that have access to company data, whether they are e-discovery vendors, IT vendors, outside counsel or vendors serving other departments. This is a crucial piece of the cybersecurity puzzle, because ' as the Target incident so clearly demonstrated ' when a third party is proven to be the weak link that leads to compromised data, the organization that hires the third party will ultimately be held to account, no matter what liability protections are in place in vendor contracts.

A New Role for GCs and a Broader View of Enterprise Risk

All of this is part of a larger shift in the enterprise landscape in which the GC is expected to be more of a business leader and an active participant in strategic planning alongside other members of the executive leadership team. In light of recent notorious data breaches and their aftermath, corporate leadership is now taking a more comprehensive view of enterprise risk. The GC and the legal department are still providing counsel as specific issues arise, but that advice must now be informed by a deeper understanding of the organization's long-term business objectives, its position in the competitive landscape and its overall strategy.

Departments are being asked to look beyond their own traditional and sometimes territorial concerns and embrace a broad view of enterprise risk. When a company is contemplating pursuing a new line of business, making a major technology investment, increasing reliance on public cloud computing resources or creating a new marketing campaign, IT and legal must work closely together to weigh the potential benefits of any course of action against possible risks. What is the likelihood that something will go wrong? What regulatory issues do we need to consider? Is there data containing personally identifiable information (PII) involved? What are the specific security vulnerabilities (ranked by the magnitude and likelihood of risk), and what steps will we need to be in a position to take immediately if data is compromised? Conversely, what are the business risks of backing off from a proposed initiative? The idea is to carefully consider issues and initiatives that pose potential benefits and risks from multiple perspectives: legal, technical, operational and financial.

Conclusion

Risk cannot dictate how the business operates. But working together, IT and legal can arrive at a more consistent and comprehensive definition of risk that reflects the unique challenges of their industry, and they can set reasonable and appropriate priorities that mitigate specific risks without undermining business objectives. They can also help create a top-down culture of security in which every employee is aware of potential threats to the business, understands the importance of observing security policies and procedures, and takes responsibility for recognizing and responding to potentially suspicious activity.

Jason Straight is the senior vice president and chief privacy officer at UnitedLex. He has more than a decade of experience assisting clients in managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges. Jason began his career as an attorney at Fried, Frank, Harris, Shriver & Jacobsen in New York.