In recent years, there have been a number of high-profile security breaches involving the loss of customer data that have resulted in long and costly lawsuits. These have highlighted that data protection is not only a cybersecurity issue, but that failure to protect data can also lead to significant legal ramifications.
As incidents involving the loss of customer data continue to make headlines, it is becoming clear that in-house legal teams and chief legal officers (CLOs) must play a more prevalent role in working closely with IT teams to ensure that security policies and response plans are adequate to effectively protect sensitive data in their care. They can also make a valuable contribution as overall corporate 'risk managers', in protecting their organization from lengthy and costly lawsuits that can result from data breaches.
Here, I explore why there is a greater need for co-operation between CLOs, CIOs and CSOs to develop water-tight cybersecurity incident response plans that will not only protect the organization’s data in the event of a breach, but also protect the company from a legal standpoint.
The Legal Ramifications
The repercussions of a data breach extend far beyond the direct operational and financial impact; increasingly, they can also result in organizations facing legal action. Many large corporations have faced criticism from regulators for security negligence, and lawsuits from customers have followed. For example, in 2011, hackers compromised the personal data of around 77 million Sony PlayStation users, which resulted in a class action suit. While the lawsuit was rejected, the court costs and negative publicity undoubtedly added to the overall cost of the breach – one of the largest in history.
More recently, the professional social network, LinkedIn, was compromised following a password breach in 2012. Subsequently, a $5 million class action lawsuit was filed against the company for failing to protect customers’ data with ‘industry standard protocols and technology’, as outlined in LinkedIn’s own privacy guidelines. Similarly, the LinkedIn case was dismissed in March 2013; however, the company may yet come under fire from the US Federal Trade Commission (FTC) for what its customers saw as a ‘misrepresentation of the level of security for the storage of user passwords.’
As the size and scope of consumer data repositories managed by organizations grow, a large-scale loss or breach brings the added risk of legal action, which means the related costs could significantly escalate. Security policies should consider the risks to data integrity from a legal standpoint in order to put in place appropriate levels of protection.
The Board Level Battle
At the heart of this issue is the fact that, in many organizations, the board does not recognize the business benefits of comprehensive and well-rehearsed incident response plans. They are unwilling to invest the time, resources and money without understanding the real return on investment (ROI).
However, the ROI should measure not only the investment in security systems, but also the potential to avoid financial exposure if they do not invest in an effective incident response strategy. This strategy is the foundation of a sound risk assessment program.
Preparation is the key, yet many organizations do not understand there is a strong likelihood they will be hacked, even if they believe their data is not of value to cybercriminals. While many organizations are in this state of denial, their customer data could be compromised, leaving them completely exposed from a legal perspective.
This is why now is the time for CISOs to realize the business benefit of engaging with the CLO, and vice versa. CLOs must start working with CISOs for assurance that if they are breached, they can demonstrate they’ve carried out due diligence, and taken all of the preventative measures that are required of them.
Nevertheless, there is still much advice that goes unheeded, and raising the need to improve security to a board level issue can be an uphill battle. Until we are able to educate CEOs, CFOs and CLOs on the importance of cybersecurity, companies will remain exposed, not only to data breaches, but also to damaging law suits and fines.
The CLO Perspective
In this new era, CISOs need to involve their legal team in cybersecurity planning right from the outset, at the point of developing an incident response plan. There are many benefits to this strategy: as overall corporate risk managers, CLOs can provide an added perspective on risk assessment and management to strengthen and protect the company in the event of a breach.
Working with the CLO at the point of planning ensures a more well-rounded response plan, one that takes into account the total protection of the company from a governance, compliance and legal perspective, rather than just focusing on data protection. This is absolutely imperative in today’s world, where companies find themselves in lengthy legal battles or facing heavily publicized fines from regulatory bodies because of breaches.
The first step is to know where your valuable data is and protect it. In times of crisis, management and mitigation are critical, and this can only be achieved by engaging all units within the business to obstruct the leak, communicate with customers, and put in place the right procedures to limit any reputational damage.
Although there can be communication challenges between multi-disciplinary teams, ongoing dialogue will help ensure objectives are achieved. In a crisis scenario, the legal and IT team are working to reach a common aim as quickly and efficiently as possible, so each group needs to establish effective lines of communication early on.
Should a cybersecurity incident result in legal action, it's important to involve the legal team at the outset, to minimize risk. Moreover, if evidence needs to be collected for an internal investigation, close co-operation with the legal team can help avoid costly delays.
Ultimately, improved communication and awareness are at the heart of the cybersecurity issue. Without the support of other C-Level execs, CISOs are fighting a losing battle. Going forward we will need to see interdepartmental cooperation, with CLOs and in-house legal teams becoming much more engaged with IT. Moreover, the board needs to promote investments in security initiatives that will serve to strengthen defenses against cyber-attacks from both a data protection and legal standpoint. This is why a CISO who can harness the power of the legal department will be a force to be reckoned with.
Based in London, Sam Maccherola is general manager EMEA and APAC for Guidance Software. He is responsible for managing the strategic direction of the organization, as well as all operations, sales, and business development across these regions. Maccherola has more than 20 years of experience in managing and directing global business operations within the software industry. Before joining Guidance Software, he was the VP of Sales for IT security company HBGary, and prior to that, he was the president of Tenix America. Maccherola also held senior positions with Tumbleweed, Entrust Technologies, Platinum Technologies, and Legent Corporation.