Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry. The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis.
The key element in preparing for a data breach is less a technical matter than a traditional evaluation of business risk. Companies regularly analyze the risks of business decisions, and just as regularly, recognize that risk analysis requires legal advice. Evaluating cybersecurity risk is no different – it requires that a company understands the risks it takes, which risks it is willing to assume as part of its business and which risks need to be eliminated or shifted (through insurance, contractual arrangements or otherwise). Understanding this, obtaining competent legal advice before a breach is a critical aspect of any cybersecurity plan.
Despite this fact, many companies focus their data protection programs in IT, and only bring in their lawyers late in the game to bless their cybersecurity measures. While legal expenses are always a concern, companies will reap a greater return on their overall cybersecurity investment by soliciting advice early on, and stand better odds a breach will be handled correctly and efficiently.
What can cybersecurity lawyers bring to the table?
Perhaps most importantly, legal counsel commonly work with a variety of corporate players and are in a unique position to work hand-in-glove with IT, HR, and other functions to assess and reduce cybersecurity risk while still permitting a company to function efficiently. An experienced lawyer is often the best person to lead a team that establishes key protocols to avoid a breach, including policies and procedures for privacy, confidentiality, mobile device usage, record retention, and breach protocol. Lawyers are particularly able to address the key elements of an effective cybersecurity plan. Continue reading