What a GC Should Think About re Cybersecurity

As eDiscovery, cybersecurity and privacy merge, it is important to step back and look at what the GC should be thinking about in regards to cybersecurity:

  • The legal risks associated with data security are growing exponentially.
  • Contracts with customers and vendors often allocate liability and impose expectations.
  • Think about what you need to do in anticipation of any legal proceedings that often follow a cybersecurity incidence.
  • Most security incidences result from inside threats and mislaid laptops or portable devices.
  • Loss of privacy and confidentiality can be a very significant issue.
  • Know what insurance coverage you have in the event of a breach.
  • Cyber insurance is developing quickly. Know where you stand and be looking at it proactively.
  • Do we have IP assets, trade secrets, account records, consumer data that could be subject to cyber-attack? Could our facilities be misused as part of an attack?
  • What past incidents have we experienced? Are our incident response procedures effective and well understood throughout the organization?
  • Do we have an up-to-date cybersecurity risk assessment?
  • Who is responsible for cybersecurity, and does he/she have sufficient resources?
  • Is the Board of Directors adequately focused on cybersecurity; has it established satisfactory internal controls and governance structures?
  • What do we need to include in our SEC filings on cybersecurity?
  • Do we know the existing and prospective laws apply to cybersecurity?