Part of the philosophy behind the Department of Homeland Security’s “If You See Something, Say Something” campaign hinges on the idea that we are all collectively responsible for each other’s safety. It’s not just the responsibility of law enforcement to keep us secure, as it might have been in the past. This same paradigm shift is as true in the digital world as it is on the streets. Cybersecurity is no longer just the purview of IT departments, but rather the concern of entire organizations, from workers who bring their own devices to the office all the way up to the highest C-level executives, and this includes a crucial role for general counsel.
Not just an IT issue
These days, intellectual property and consumer data are among the most valuable commodities, and cyber criminals are doing everything in their power to steal as much of this information as possible. This type of theft has become one of the greatest legal risks to organizations, and many new laws have been passed to regulate the protection of this information.
Paul Williams, office managing partner at Major, Lindsey & Africa, explains:
A big part of the GC’s role is risk identification, analysis and management in an ever-increasing number of ways. An organization’s Compliance group, as well as its Privacy function, may report up through the Law Department. GCs, particularly those in consumer-facing companies, in public companies, those that contract with the government, and in companies with highly valued and protected public images, are increasingly called upon to help manage crises that arise from cyber attacks. As a public company director, I know that boards expect their GCs to provide real-time analysis and guidance on all components of risk mitigation, including Cybersecurity. In the digital age, news of these attacks (particularly those involving the theft of customers’ credit card, healthcare information, and other highly sensitive data) can go viral around the world within minutes, having an immediate effect on a brand’s reputation and standing in the marketplace. With regard to their organizations’ own intellectual property, GCs also sit squarely on the front lines in helping to ensure important business assets remain secure and that their risks – legal and otherwise – are kept at a minimum.
One factor contributing to the urgency of cybersecurity initiatives is the increasing number of laws that have been passed in this area. The most prominent governmental mandate of recent vintage was the Improving Critical Infrastructure Cybersecurity Executive Order, signed by President Obama in February.
The order calls for the National Institute of Standards and Technology (NIST) to develop a standardized cybersecurity preparedness and response plan – a framework that is being developed with input from the private sector. A draft of the framework is due in October and should be finalized by February 2014. As companies develop their own cyber plans around this framework, it is imperative that general counsel be involved in the process, as the plan will establish disclosure and compliance guidelines that will be followed in the event of a breach.
Sherrie Farrell, office managing partner, Detroit and Diversity Committee Chair, Dykema, explains the relevance of this order as it relates to general counsel:
The Cybersecurity Executive Order, first and foremost, is a critical recognition of the growing importance of cybersecurity issues in both public and private sectors. It also is a recognition that these issues are continuing to evolve, and we must be proactive in implementing strategies to deal with them. The Cybersecurity Executive Order orders the creation and release of a federal government-supported cybersecurity best practices model (known as the “Framework”). Although adoption of the Framework is voluntary, the federal government’s focus on identifying, implementing and partnering with public and private sector businesses certainly should signal heightened awareness for general counsel. For example, groups of businesses and lawyers regularly have been working with the government to determine the best practices. The findings of these workshops will be made public. Likely, GC will find that their organizations could benefit from these best practices.
This spring, Congress passed several pieces of legislation focused on ways the federal government can bolster cybersecurity. It would behoove general counsel to follow these and future laws to keep up to date on compliance obligations.
Prosecution and Protection
Typically, general counsel play an important role in the criminal prosecution of cyberattacks. They help determine if prosecution makes sense, in terms of whether it is in a company’s best interest and if it is even possible.
Furthermore, general counsels can help create and maintain cybersecurity measures to help protect a company’s data. GCs can lead the way by:
- Advising senior management/board members on legal responsibilities;
- Spearheading preparedness, response and compliance initiatives;
- Including cybersecurity terms in supply chain and IP contracts; and
- Managing potential lawsuits.
As for the future, Farrell sees an increasing need for general counsel to focus on cybersecurity:
Legal departments should be prepared to address the intersection of cybersecurity and compliance within their organizations. The start of a federal cybersecurity compliance program could result in new government regulated disclosures and duty of care obligations. The Executive Order has prompted Congressional action, both through Framework adoption incentive proposals and efforts to codify the Executive Order. However, even without increased attention from the federal government, corporations need to be proactive in ensuring compliance with existing federal and state regulations, establishing the necessary controls, understanding the risks and having a plan in the event of a cyber threat or breach.
The topic is a large and complex one, so for general counsels who want more information, several sources are available. A recent white paper from Dykema discusses many of these topics in greater detail, and an upcoming event, “To Protect and Defend: Why Cybersecurity Matters and What You Can Do to Guard Against Unwanted Intruders” will provide a host of thought leadership on the topic.
The event will take place on Thursday, Sept. 12, 2013 at the Renaissance Conference Center in Detroit, Mich. It will feature general counsel from Trustwave, Motorola and Bridgewater as they discuss cybersecurity risks and their impact on business practices and functions.
For more information on the event, click here.