Data breaches transforming the GC's role in the company
If nothing else, the disasters at Target and Neiman Marcus offer portentous reminders to boards and C-suites that the OGC must play a ground-floor role in forging a data breach response plan.
February 23, 2014 at 07:00 PM
7 minute read
Front-page breaches have transformed the corporate landscape and, with it, the role of general counsel. First, the table stakes — the day-to-day lawyering that defines the work of the office of the general counsel (OGC) under any circumstances — are higher. Not merely job description details, these changes are significant indices of the sheer magnitude of the crisis at hand.
For example: The regulatory burden is broader and deeper, a complex web potentially entangling HIPAA, Gramm-Leach-Bliley and state regulations. It's a new labyrinth demanding higher-level in-house practice.
The OGC must be a fixture of enterprise-wide training programs. It is now the GC's responsibility to ensure that employees at every level understand applicable policies.
The OGC must exercise greater due diligence in evaluating potential vendors and maintain persistent oversight of existing vendor security practices. Some states compel companies to take reasonable steps to ensure third-party compliance.
OGC transformed
If nothing else, the disasters at Target and Neiman Marcus offer portentous reminders to boards and C-suites that the OGC must play a ground-floor role in forging a data breach response plan. This plan serves as “a living, functional document” in lieu of oft-used boilerplate typically inapplicable to the company's structure and operations, according to Gerald Ferguson, a partner at BakerHostetler and co-chair of its Privacy and Data Protection Practice.
The plan should be tested in tabletop exercises as team members prepare for worst-case scenarios. The element of surprise must be included in the rehearsals; if the document is to be truly “living and functional,” responders must be able to turn on a dime as unanticipated twists and turns occur. Separate approaches should be crafted for consumers, reporters, regulators, etc.
“At a minimum, this plan must [also] identify an incident response team, define the roles of the team, and establish procedures for identifying, escalating, and managing data security incidents,” adds Ferguson. Critically, the OGC itself must be an integral part of this incident response team. “Decisions made early on involving preserving evidence, directing forensics and giving mandatory notices can significantly influence the ultimate cost and impact of an event.”
GCs thus become decisive strategic architects in their interactions with marketing, compliance, social media, IT, and HR—and the company's staunchest advocate for data security prophylaxis.
Ear of management
As Ferguson says, “Senior management and the board should require that the company implement an approach to information security that is 'adaptive,' constantly identifying new threats and evolving to respond to these threats.”
This “adaptive” approach (a main feature of the National Institute of Standards and Technology cybersecurity framework) underscores the GC's most impactful leadership function, that of prophet. One cannot prepare for unanticipated contingencies, and help train others to do so, by relying on past example. One must anticipate the unanticipated.
It may be startling revelations about the misuse of hacked data by anyone from credit card thieves to global terrorists. Or, the “what's next” may be all about marketplace positioning after a breach. How might free credit monitoring (Target's strategy) allay marketplace anxieties? How will competitors seek to exploit the breach?
In the last analysis, the data crisis mirrors diverse other crises in terms of its impact on the leadership role of the OGC. But data security ups the ante, exponentially. It's a do-or-die game that won't be won without the GC on the team.
Front-page breaches have transformed the corporate landscape and, with it, the role of general counsel. First, the table stakes — the day-to-day lawyering that defines the work of the office of the general counsel (OGC) under any circumstances — are higher. Not merely job description details, these changes are significant indices of the sheer magnitude of the crisis at hand.
For example: The regulatory burden is broader and deeper, a complex web potentially entangling HIPAA, Gramm-Leach-Bliley and state regulations. It's a new labyrinth demanding higher-level in-house practice.
The OGC must be a fixture of enterprise-wide training programs. It is now the GC's responsibility to ensure that employees at every level understand applicable policies.
The OGC must exercise greater due diligence in evaluating potential vendors and maintain persistent oversight of existing vendor security practices. Some states compel companies to take reasonable steps to ensure third-party compliance.
OGC transformed
If nothing else, the disasters at Target and
The plan should be tested in tabletop exercises as team members prepare for worst-case scenarios. The element of surprise must be included in the rehearsals; if the document is to be truly “living and functional,” responders must be able to turn on a dime as unanticipated twists and turns occur. Separate approaches should be crafted for consumers, reporters, regulators, etc.
“At a minimum, this plan must [also] identify an incident response team, define the roles of the team, and establish procedures for identifying, escalating, and managing data security incidents,” adds Ferguson. Critically, the OGC itself must be an integral part of this incident response team. “Decisions made early on involving preserving evidence, directing forensics and giving mandatory notices can significantly influence the ultimate cost and impact of an event.”
GCs thus become decisive strategic architects in their interactions with marketing, compliance, social media, IT, and HR—and the company's staunchest advocate for data security prophylaxis.
Ear of management
As Ferguson says, “Senior management and the board should require that the company implement an approach to information security that is 'adaptive,' constantly identifying new threats and evolving to respond to these threats.”
This “adaptive” approach (a main feature of the National Institute of Standards and Technology cybersecurity framework) underscores the GC's most impactful leadership function, that of prophet. One cannot prepare for unanticipated contingencies, and help train others to do so, by relying on past example. One must anticipate the unanticipated.
It may be startling revelations about the misuse of hacked data by anyone from credit card thieves to global terrorists. Or, the “what's next” may be all about marketplace positioning after a breach. How might free credit monitoring (Target's strategy) allay marketplace anxieties? How will competitors seek to exploit the breach?
In the last analysis, the data crisis mirrors diverse other crises in terms of its impact on the leadership role of the OGC. But data security ups the ante, exponentially. It's a do-or-die game that won't be won without the GC on the team.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
GC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute read'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute readTrending Stories
- 1Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 2For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 3As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
- 4General Warrants and ESI
- 5GC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250