Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


Planning for the inevitable cyber breach

Have a plan in place, but remain flexible

Look out over the ramparts of cyber defense and you’ll see that there are barbarians at the firewalls, an ever-diversifying lineup of hackers, corporate spies and foreign agents hell-bent on compromising the data of your corporation. Add to that the increasing scrutiny that regulatory agencies are applying to those who “allow” their sensitive information to be compromised, and you’ve got a recipe for cyber disaster.

While outright prevention of attacks is impossible, mitigating the effects of a data breach and the reputational damage associated with is something that organizations can aspire to. That being said, it can take a considerable effort to make it happen, and it also requires that corporations embrace this challenging new reality.

At the 2014 SuperConference, the session “Primer to Cyber Security Incident Response Plan” examined exactly what corporations were up against, and tapped a number of industry experts to give their advice for developing plans to combat the issues.

In the words of Scott Vernick, partner at Fox Rothschild LLP and moderator of the panel, “looking at the 2013 statistics, 90 percent of companies reported they’ve been hacked. There are only two types of companies, those that have been hacked and those that don’t know they’ve been hacked.”

The first step to combatting a breach is putting together a preliminary blueprint, but as Vernick pointed out, tactical plans can be as much of a blessing as a curse. On the one hand, while they provide an actionable list of instructions on what to do, on the other, they can be cumbersome or restrictive when taken too literally.

For Gretchen Herault, deputy chief privacy officer at Nuance Communication, ensuring that there is wiggle room within that plan is essential. “It doesn’t have to be specific down to who does what and when, but if you’re planning for battle you have to have a plan. Granted, when that battle starts that all goes out the window and you do what comes naturally, but at least you have a starting point,” she says. “People need a script to read off of. As the situation evolved you might have to go off that script a little bit, but you need that framework to give everyone the lanes to swim in.”

Shannon Couffer, director, regulatory law, legal services and administration for Walgreens, agreed that a level of flexibility is key to a successful plan. “Breaches never happen when you have the luxury of time, they happen in the instant and you have to respond in that instant. So having a plan that anyone can pick up and run with is a strength,” Couffer says.

Regardless of how succinct or illustrative the plan turns out to be, Deitzah Raby , assistant general counsel & privacy officer, of Hill-Rom Holdings, Inc., says that the whoever is responsible for overall cyber protection needs to ensure that the key stakeholders are involved, “The two most critical groups to me are legal and the IT security group,” Raby says. “They’re most likely the ones who first become aware of the incident, whether they find it themselves or hear from external parties.  If you’re not already working closely with security, it’s wise to make sure you get to know them and understand the things they work on. One you’ve confirmed the breach, then I think you need to expand the group further to include all the other stakeholders.”

But a plan of action alone is not enough to save the day from a data breach. The group agreed that identifying where the information is, and knowing inside and out what could potentially be affected is also a critical component of breach mitigation. Those in charge of protecting information should readily know, what info is where, whether or not the information was stored electronically,  if it was encrypted, and whether or not it could be acquired by an unauthorized user.

And when the inevitable breach does happen, the choice to alert users should not be taken lightly, nor should offering compensation to those affected. Herault says that at a previous employer, a massive data breach resulted in the company shelling out millions to offer credit monitoring software anyone whose information had been stolen. Only one person ultimately signed up.


For more on cyber security issues, check out these stories:

Snapchat and FTC settle allegations that app not as secure as it claims

A step-by-step guide to addressing corporate data privacy and security (Part 3)

The ‘reasonable’ guide to data privacy and cybersecurity

Executive Editor

author image

Chris DiMarco

Chris DiMarco, Executive Editor of InsideCounsel magazine, has a background in multimedia production with previous involvement in projects in which he developed and created content...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.