An important responsibility of the governing board is to work with the CEO to assure proper coordination of the various roles and responsibilities of members of the senior executive leadership team, in order to prevent confusion, gaps in leadership and internecine controversy. An important new survey provides guidance on how the board and CEO should assign executive responsibility for data breach compliance.

The new survey, conducted jointly by the insurance analytics company Advisen and insurer Zurich North America, concludes that since cyber risk is more frequently viewed as an enterprise-wide issue, departments such as general counsel and risk management are now taking on larger roles in responding to data breach issues. The survey references the importance of compliance with all applicable federal, state or local privacy laws arising in connection with a data breach event. While it notes that in previous years the IT department was primarily responsible for maintaining such compliance, that responsibility is shifting as cyber risk has increasingly become an executive- and board-level concern, as well as an enterprise-wide focus.

Notably—and for the first time in the survey’s history—the office of general counsel is cited as the department most frequently responsible for assuring compliance with all applicable federal, state or local privacy laws, including state breach notification laws. The survey observes that the importance of compliance is represented in the increased role of general counsel and demonstrates the influence of regulation and heightened awareness of the legal issues that result from a data breach.

Management and board leadership are often called to make time-sensitive decisions with respect to executive responsibility in the context of vital corporate matters and crisis circumstances. It is important that those decisions are made on an informed basis. While a traditional conclusion might be that the CIO or other senior IT executive should be the executive directly in charge of the data breach response team, the new Advisen/Zurich survey serves as compelling evidence of the benefits attributed to greater general counsel participation in the work of that response team. Such greater general counsel participation is also consistent with the broader roles and responsibilities increasingly assigned to the general counsel—not simply technical legal advisor, but also valued business partner to management and leading advisor on organizational ethics and reputation.