10 Steps GCs Can Take to Minimize Data Security Risks

By Barbara W. Reece | LexisNexis Practical Guidance

The constant risk of enterprise data security threats has been keeping in-house counsel on their toes for years now, but unfortunately GCs do not appear to be realizing any greater confidence in their organizational preparations.

The level of preparedness to handle cyberattacks declined for the third consecutive year in a 2021 survey of general counsel, according to a report from Law360 Pulse, and nearly half of GCs identified data protection and security as an expanding area of risk to their organizations.

These findings are consistent with what counterparts in the corporate tech profession have previously expressed. One survey by IDG Research Services found that roughly 78% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks.

Data security risks are ubiquitous. Nearly 9 in 10 organizations have already experienced an attempted exploit of an existing vulnerability, according to a recent Check Point Research Security Report, and new threats are reported daily at nearly every major company in the world.

While other executives in the company are tasked with mitigating risks of breaches, in-house counsel are in a unique position to oversee the mitigation of legal and compliance risks associated with data security intrusions.

“The role of internal counsel is to use internal and external resources to become knowledgeable conductors of the data security symphony their company must play for regulators, customers, vendors and competitors,” writes Holly K. Towle of K&L Gates LLP. “A conductor who can glean — directly or indirectly through section chairs — the business, data flows and laws governing each of the sections making up the company’s orchestra has the best chance of creating the most compliant data security symphony.”

To help in-house counsel be the best conductors they can be, here are 10 steps that GCs can take to minimize data security risks, drawn from an article by LexisNexis contributors Matthew D. Dunn and Melissa J. Erwin, of Carter Ledyard & Milburn LLP:

1. Know the law

Understand the applicable laws, regulations, and guidance relating to data protection and cybersecurity by consulting with legal specialists  or otherwise. Executives and board members should also have general knowledge of these matters and access to experts within or outside the organization.

2. Conduct risk assessments

Organizational risk assessments should be conducted and periodically updated. Identify and address the company’s specific cyber and data protection risks to avoid the consequences and costs associated with a data breach. GCs should know what types of data the organization has and how it is protected.

3. Ensure policies are followed

Make sure that the organization has robust cybersecurity and data protection and privacy policies tailored to the organization’s specific risk profile that  are implemented and followed. Officers and directors should also be familiar with these policies. In-house counsel should educate board members on cybersecurity policies and guidelines that demonstrate reasonable information security procedures and implementation of data protection standards.

4. Build compliance culture

Build compliance into the governance structure. Consider whether the corporate board should have a committee that oversees cybersecurity and data protection issues. Consider appointing a chief information security officer, if you do not have one already. Ensure that the organization has personnel charged with implementing and enforcing cybersecurity policies and procedures.

5. Regular infrastructure audits

Review the technology infrastructure for data security and information management and ensure that it is current and updated regularly (anti-virus and anti-malware software, encryption, etc.). Obtain a report from the chief information officer or IT director. Consider requiring cybersecurity updates as part of the agenda at executive team meetings.

6. Do live-action exercises

Ensure that the organization has an adequate cyber incident response plan, and that it is updated and practiced. Organizations should conduct cyber breach exercises and penetration tests.

7. Review disclosures

For public companies, ensure that there are effective disclosure controls and procedures that enable the organization to make accurate and timely disclosures relating to cybersecurity. Ensure that public filings adequately address cybersecurity risks, policies, oversight, and incidents.

8. Assess employee training

Ensure that there is employee training and education on cyber and data protection policies and the identification of red flags.

9. Perform third-party due diligence

Conduct risk assessment of third-party vendors. Ensure that vendors with access to the organization’s data have adequate cybersecurity and privacy policies to protect such data.

10. Evaluate all insurance coverages

Review and assess insurance coverage for data breaches and cyber-related incidents and consider separate cybersecurity insurance. Review and assess whether directors’ and officers’ insurance covers cybersecurity-related liability.

The complex legal and regulatory landscape that governs corporate data security risks necessitates a smart approach to compliance and legal risk management. The GC is the corporate executive best suited for this important responsibility. For more information on how to minimize data security risks, click here to download a free Data Breach Avoidance and Response Plan Checklist.

Additional cybersecurity risk management resources, including practice notes, templates, and checklists, are available to LexisNexis subscribers.