Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


Cybersecurity and compliance: An unlimited horizon of responsibility

As experience demonstrates, cyberthreats pose a risk as great as any other to even the mightiest companies and industries

Make no mistake, the compliance challenges arising from data breaches and other cyber incidents are not limited to industries that, like retail and financial, garner the most conspicuous publicity for events that so directly affect the public.

Not that those sectors aren't obvious targets for cyber mayhem by global bad actors and homegrown miscreants. If anything, additional pressure still needs to be exerted on those industries that remain slow to pursue the kind of prophylactic measures that underscore all sound compliance cultures. But far too few companies of any sort are investing in comprehensive compliance, training and monitoring programs to protect against cyberthreats.

A key factor causing corporate inertia around this enterprise-wide risk is the question of responsibility. Who is accountable? Is it information security, IT, corporate security, legal, compliance or some other corporate department? Many corporations are behind the curve when answering this question, and without an “owner” to lead the charge, it seems companies are paralyzed into doing nothing.

The global scope of the cyber security problem, and the dizzying array of issues involved—HIPAA, Gramm-Leach-Bliley requirements, state regulations, cross-border legal issues—represent liabilities and raise questions far beyond whether firewalls are permeable. This point was underscored in May 2014 when the Department of Justice accused Chinese military officials of hacking major U.S. corporations, including my company, U.S. Steel, in a scheme to steal IP and trade secrets. It was the first time the U.S. had charged a state actor in a cyber-espionage case.

As a matter of national security as well as self-preservation, companies must expand cyber oversight to include the legal and compliance functions. Why? Because there are ever-changing rules and regulations impacting this space that require legal and compliance's input. It is not about one corporate function usurping the authority of another corporate function; it's about educating technology managers so they have an understanding of the changing regulatory landscape to advise on whether systems are in place to ensure company compliance with all regulatory requirements and to best protect the company from incoming cyberattacks. This also means that legal and compliance professionals must take it upon themselves to become proficient in technical cybersecurity issues in order to advise their internal clients.

Given such burdens, the legal and compliance functions must spearhead enterprise-wide training programs in order to educate employees of their individual roles in helping to protect the corporation from cyberthreats. At the same time, the legal and compliance teams must review their respective due diligence processes when evaluating the corporation's current and potential business partners. Along with internal compliance training on cyberthreats, the data breach response plan must feature compliance officers and in-house lawyers as well as architects, key implementers and partners. What is needed now is an organic functional plan and process based on the company's specific operational realities and subject to daily modification by the cross-functional cybersecurity team. The plan must require real-time tabletop exercises to both test its efficacy and rehearse all relevant personnel in its critical provisions, including public notifications and crisis communications strategies.

We should all know what is at stake. As experience demonstrates, cyberthreats pose a risk as great as any other to even the mightiest companies and industries. Whether it is the health of our manufacturing, financial, retail or other industries, it is important to keep in mind that with cybersecurity, we are fighting a war, a very long-term war of survival. In that war, legal and compliance professionals represent key subject-matter experts who, working in union with their colleagues, can present a unified and indispensable front against current and future cyberthreats.

author image

Suzanne Folsom

Suzanne Folsom is general counsel and senior vice president of governmental affairs of United States Steel Corporation.

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.