General Counsel: Illuminating the “Unknown Unknowns” of Data Breach Response
If you’re like most attorneys, the recent deluge of large-scale data breaches affecting premier brands including Home Depot, Chase and Staples, to name a few, rattled you a little. The torrent of lawsuits arising from these incidents is in full-swing. Even if only a fraction of these suits have merit, corporate legal teams will be tied up with them for years to come.
While it’s highly unlikely that any these breaches will force these companies to go under, the money lost in response efforts, litigation costs, customer churn and depressed stock prices will impact the company for years to come. You would think the constant barrage of data breaches would put general counsel, the group responsible for assessing legal threats to their company, on alert, but you might be surprised how unprepared many of them are. Many would break into a flop sweat if they had to answer questions like:
- “What measures were in place to prevent data breaches prior to the incident?”
- “How do you assess the effectiveness of your information security controls?” or
- “What did you do when you learned about the breach?”
Why does this topic create such consternation? In most cases, it’s due to a lack of communication between legal, IT and other risk management stakeholders. General Counsel thinks in terms of liability and business risk, while IT thinks in terms of technology risks. When an IT manager says that Servers X and Y are vulnerable to hackers, General Counsel may have difficulty understanding the scope and scale of potential impact, let alone act on the information. Meanwhile, when IT people hear the same facts, they immediately act to remediate technical gaps but legal repercussions are typically the last thing on their minds.
If you haven’t already, sit down with IT and brainstorm the overall business risks that may result from a data breach. Granted, doing so isn’t easy because you and IT may speak different languages. However, you will never understand one another unless you begin that awkward process of communication.
The best approach is to structure a dialogue around a few basic, but often vexing questions. Discussions around the following topics will typically uncover differing perspectives on risk and security awareness and will leave participants with a deeper appreciation and respect for one another’s concerns:
- What and where are the company’s “crown jewels” and how are we protecting them?
- What are the most frequent types of information security incidents we have experienced?
- What controls are in place to limit access to critical data and to enforce “need to know” policies?
- How do we assess and manage information security risks with our vendors and other third parties?
- How do we define roles and responsibilities in the incident response process?
There are times, however, when either the language gap is too great or the need for action is too pressing. For those situations, you may want to consider engaging a facilitator who understands both sides of the risk equation and can translate them easily into a shared awareness of true business risk.