Cybersecurity

When a data incident occurs, "who you gonna call"? The answer, unfortunately, isn't the  Ghostbusters, according to speakers at a Legalweek panel titled "Beyond the Attack—Legal & Ethical Considerations in Breach Response." For them, help should come from a well-thought-out and practiced internal cybersecurity plan involving key stakeholders.

To be sure, while any company faces the possibility of a data breach, the risk isn't uniform across the economy. "Every company faces a different threat landscape depending on who you are and what data you have," said Bryan Rose of technical consulting company Stroz Friedberg. "Everyone should try to get a clear understanding on a recurring basis as to what your particular threat landscape is and how it's changing."

There are, however, ways that all companies can mitigate their risk. For example, succession planning, including discontinuing access to employees that haven't left the company but whose job requirements have changed, can be a preventive step for guarding confidential information, said Margaret Gloeckle, A&E Networks' vice president and privacy and compliance counsel. She advised that companies perform routine audits to assess who has access and to what.

When a data incident escalates into an actual breach, Gloeckle suggested organizations have escalation plans in place.

"The escalation process is very critical because if you think about some of the regulations we have seen specifically around [New York State Department of Financial Services], there's a notification period of 72 hours," Gloeckle said. "If you think about the [General Data Protection Regulation], they tell you [that] you need to notify without undue delay and the 72-hour clock starts to tick and they also have to update regulators in that 72-hour window. Escalation and communication are key pieces in implementing your incidents response plan."

The panel also recommended organizations perform routine tabletops—cybersecurity training exercises that bring key stakeholders together and stimulate a data breach and test the response plan.

The call for tabletops, cybersecurity processes and practice can seem daunting for entities of any size. But the panel's moderator, International Legal Technology Association CEO Joy Heath-Rush, suggested all organizations must begin proactively guarding their data.

"I know probably if you are in a smaller organization, you're hearing this and saying, 'I don't have these analysts, I don't have this great bundle of stuff,'" Heath-Rush said. "You can find resources that can help you identify your most low-hanging fruit for vulnerabilities and make sure you are addressing that."