Front-page breaches have transformed the corporate landscape and, with it, the role of general counsel. First, the table stakes — the day-to-day lawyering that defines the work of the office of the general counsel (OGC) under any circumstances — are higher. Not merely job description details, these changes are significant indices of the sheer magnitude of the crisis at hand.
For example: The regulatory burden is broader and deeper, a complex web potentially entangling HIPAA, Gramm-Leach-Bliley and state regulations. It’s a new labyrinth demanding higher-level in-house practice.
The OGC must be a fixture of enterprise-wide training programs. It is now the GC’s responsibility to ensure that employees at every level understand applicable policies.
The OGC must exercise greater due diligence in evaluating potential vendors and maintain persistent oversight of existing vendor security practices. Some states compel companies to take reasonable steps to ensure third-party compliance.
If nothing else, the disasters at Target and Neiman Marcus offer portentous reminders to boards and C-suites that the OGC must play a ground-floor role in forging a data breach response plan. This plan serves as “a living, functional document” in lieu of oft-used boilerplate typically inapplicable to the company’s structure and operations, according to Gerald Ferguson, a partner at BakerHostetler and co-chair of its Privacy and Data Protection Practice.
The plan should be tested in tabletop exercises as team members prepare for worst-case scenarios. The element of surprise must be included in the rehearsals; if the document is to be truly “living and functional,” responders must be able to turn on a dime as unanticipated twists and turns occur. Separate approaches should be crafted for consumers, reporters, regulators, etc.
“At a minimum, this plan must [also] identify an incident response team, define the roles of the team, and establish procedures for identifying, escalating, and managing data security incidents,” adds Ferguson. Critically, the OGC itself must be an integral part of this incident response team. “Decisions made early on involving preserving evidence, directing forensics and giving mandatory notices can significantly influence the ultimate cost and impact of an event.”
GCs thus become decisive strategic architects in their interactions with marketing, compliance, social media, IT, and HR—and the company’s staunchest advocate for data security prophylaxis.
Ear of management
As Ferguson says, “Senior management and the board should require that the company implement an approach to information security that is ‘adaptive,’ constantly identifying new threats and evolving to respond to these threats.”
This “adaptive” approach (a main feature of the National Institute of Standards and Technology cybersecurity framework) underscores the GC’s most impactful leadership function, that of prophet. One cannot prepare for unanticipated contingencies, and help train others to do so, by relying on past example. One must anticipate the unanticipated.
It may be startling revelations about the misuse of hacked data by anyone from credit card thieves to global terrorists. Or, the “what’s next” may be all about marketplace positioning after a breach. How might free credit monitoring (Target’s strategy) allay marketplace anxieties? How will competitors seek to exploit the breach?
In the last analysis, the data crisis mirrors diverse other crises in terms of its impact on the leadership role of the OGC. But data security ups the ante, exponentially. It’s a do-or-die game that won’t be won without the GC on the team.