Eyebrows went up to hairlines in many corporate suites at the news of Yahoo’s respected general counsel, Ron Bell, losing his job over a cybersecurity breach. Based on the news accounts, this may be another instance where the “cover-up is worse than the crime.” Not literally, of course, but one can only ponder a different outcome if the massive data breaches that occurred at Yahoo in 2013 and 2014 had been disclosed more timely and better managed by the company counsel.
In-house counsel in every corner of our economy should be concerned about how to avoid the same fate. My own ruminations include a Groundhog Day-themed mental track that prompts me back to 2014 and the high-profile Target and Sony attacks that led to executive ousters. Those breaches gave the initial warning that we as a legal community must be prepared for our companies to respond to a cybersecurity attack. If at this point in the decade a company flubs its response to a data breach, arguably the responsibility does lay at the feet of the G.C., or worse, the board.
The good news is that as in life, so in work – preparation is key. The general counsel can and should be pursuing with and for its board a response plan specifically geared to a cybersecurity breach. This plan should be prepared in close coordination with the information technology and security teams, as well as with input from the insurance experts. Every company has its own unique needs based on its industry; a public utility and a public university are going to have very different consequences of a cybersecurity breach, and the key players and response may therefore differ. There are, however, many ways in which these response plans should resemble one another. A thorough plan will live beside a company’s “Crisis Response Plan” and integrate the “Crisis Teams” with clearly defined roles for all teams and individuals. Stages of an incident should be delineated, and a thorough response plan should include potential legal notification requirements.
Some of the best resources I found in my time as general counsel when drafting our cybersecurity response plan with our I.S. and insurance teams were publications by the Department of Homeland Security, specifically the guidance document on the Cybersecurity Information Sharing Act of 2015 (CISA) and the U.S. DOJ’s “Best Practices for Victim Response and Reporting of Cyber Incidents.” Additionally, much commentary was written post-Target that was incredibly insightful and helpful.
No response plan once drafted, however, is worth its salt if it is not drilled . As with any other crisis management response, a response for a specific cybersecurity breach is going to be better executed if it is one the key players have practiced. The expense of a good public relations team and a crisis consultant are not too much to consider to protect the net value of your entity. Depending on your circumstance, consideration should be given to whether you have these entities hired by outside counsel in order to protect the work product. You want to know your organization’s weaknesses in a drill so as to protect against them in an actual crisis. These same weaknesses once exposed, however, need to be shielded from future plaintiffs’ counsel.
There is no doubt general counsels and boards of directors are now expected to be prepared for a cybersecurity breach. If the breaches of 2013 and 2014 with all of their attendant fallout did not create the impetus to act, let Ron Bell’s dismissal be your siren song to be prepared for a cyberattack – for the protection of your customers, shareholders and your own ‘hind.
This alert was written by Jane Lewis-Raymond when she was a partner at the firm.