Depending on the size of a corporate legal department, in-house counsel must often address and advise leadership on a myriad of legal issues. Whether counsel is fresh out of law school or seasoned, counsel will face cyber security issues during their tenure. Once the focus of the technical experts alone, cyber security issues are now board-level issues based on the frequency and potential seriousness of breaches. Cyber risk issues must be at the top of any lawyer’s list of risk management issues.
The risk is growing. A 2018 survey of 477 companies around the world that experienced data breaches in the preceding 12 months suggests that there is a 28% chance the companies will experience a material breach within the next two years.
Exposure is a certainty. Identifying and containing data breaches are not. Companies typically identify breaches about 197 days after they occur. Once identified, another 69 days pass before the risk is contained. The period of exposure is extensive.
Data breaches are getting bigger. Breaches occur when information is taken or stolen without the system’s owner’s knowledge or authorization. Stolen data can include sensitive, confidential or proprietary information, including customers’ credit card numbers, customer data, trade secrets, or matters of national security. The majority of losses result from hacking and malware attacks. Researchers report that the average size of a data breach is growing by more than 2% each year.
The cost is also higher. The average total cost of a data breach is $3.86 million or $148 per lost or stolen record. Data suggests the cost of detection and escalation, post-data breach responses, notification costs and lost business costs are growing by more than 6% annually. Many of these costs are tangible and foreseeable. “Soft” costs associated with business disruption, system downtime, losing customers, wooing new customers, tarnished reputation and goodwill, are very difficult to quantify
Applying best legal practices and industry standards is a great responsibility. Counsel must coordinate the functions that protect corporate and client data. Counsel must immediately coordinate with many departments to quickly identify and mitigate the exposure. It’s essential that information be shared under the protection of the attorney-client privilege and written assessments as attorney work product. Further, counsel must work with internal and/or external PR professionals to prepare for and respond to media inquiries. Although the requirements may differ, counsel must make decisions and supervise notification to consumers and, where required, statutory disclosures. Finally, states’ attorneys general and the Federal Trade Commission will expect prompt answers from counsel.
Successfully responding to these great challenges successfully positions counsel as a key management player. On the other hand, failing to do so ensures an immediate departure from a weakened organization. This can’t be good for an attorney’s reputation or market value.
Please follow us as we dive deeper into these issues.