Corporate law departments are beginning to understand their position in the fight for data integrity and cyber security. The general counsel’s office at many companies must now be prepared to assist in addressing some of the risks, such as the loss of key data, regulatory penalties, and issues concerning the company’s standing and image.
Statistics show that cybersecurity is starting to be a larger priority for general counsels. According to the Association of Corporate Counsel’s Chief Legal Officers Survey in 2018, more than 25% of general counsels said that their companies had been victims of a data breach within the last two years versus 22% that reported a data breach in 2016.
To be effective, a corporate counsel must examine cyber threats that other companies are facing. General counsel also must prepare to immediately counteract them.
The Loss of Key Data
In-house counsel must be aware of the countless “phishing” attempts made daily both on home computers and work computers. These criminals attempt to dupe employees into clicking on a link in an email that contains malware. The link also might trick a person into sending money or bank information per an email that appears to be official.
It’s important to recognize that all it takes is a single employee to let his or her guard down for a hacker to enter an IT system. The intrusion will result in the compromise of valuable data and systems. The illegal actors can hold a company for ransom. Or they might move millions of dollars in assets to a bogus account as the result of a spoofed CEO email.
Corporate counsel must lead the company’s efforts to combat “phishing.” This should involve employee training and the use of basic but effective, techniques like strong passwords (changed regularly), auto-patching for malware and viruses, and multi-factor authentication.
Data Privacy Regulations
In addition to the subject of data privacy, data privacy regulations are a key topic of concern for corporate counsel.
American companies must come to terms with the new data privacy laws. Notably the State of California passed its California Consumer Privacy Act (CCPA) in 2018. The CCPA allows any California consumer to demand to see all the information a company has saved on them. Customers may also learn what third parties have access to the data. Plus, the law permits consumers to bring a legal action against companies upon violation of the privacy guidelines. This is true even if there is no breach.
Several other states have enacted or considered statutes wuch as the CCPA. These states include Washington, Nevada, and Maine. Nevada’s 2019 law requires businesses to offer consumers an opt-out concerning the sale of their personal information (with some exceptions). Companies that violate the law are subject to a penalty up to $5,000 per violation and temporary or permanent injunctive relief. Likewise, Maine’s 2019 law protects the privacy of online consumer information.
In addition, the federal government continues to look at a comprehensive federal data privacy law that would preempt all of state laws; however, the talk has lead to nothing concrete after many years.
Plus, in Europe, corporate counsel must contend with data transfers out of the EU to the United States, as privacy shield and standard contractual clauses are under attack.
Protecting the Company’s Reputation
Years ago, corporate counsel addressed reputational risks with a well-worded fax or a phone call. If an incident arose, it was thwarted by a stern “cease and desist” to a newspaper or the local radio or TV station. Today, every guy or gal with a smartphone is a reporter and can broadcast an incident across the globe in seconds. Once news goes viral, it’s all but impossible to retract it from the public awareness.
In a well-known example, the Wells Fargo fraud incident quickly ignited as bank customers and others posted clips of the congressional hearings on Twitter feeds, Instagram accounts, and on Facebook. This told the public about all of the details of the scandal and ensuing investigation — further damaging the bank’s reputation.
Corporate counsel should be actively engaged in a proactive defense of the company’s reputation.
Questions to be Answered by the General Counsel’s Office
The new legal concerns in the data privacy and cyber security world require corporate counsel to take preparations. These preparations would require them and their staffs to discuss and explore the answers to questions such as these:
- What kind of data and other personal information does our company store?
- When the company loses data, or criminals steal it, what effect would it have on the company?
- What data would be important to a cybercriminal if they could access it?
- What best practices does our company now have in place?
- Which of the company’s systems are the most vulnerable to attack?
It’s necessary for general counsels to have some level of cybersecurity knowledge and experience, which undoubtedly adds to the list of significant responsibilities under their care. General counsel need not possess the same technical information as the chief technical officer. But they should be familiar with technical terms and have a basic understanding of the landscape in this area. Plus, corporate counsel must possess knowledge of the types of new digital tools available. They must have the expertise to leverage them in keeping the company safe.