Well this is unsettling – the person responsible for the massive data breaches at Yahoo was its general counsel? CorporateCounsel speculates about what this means for in-house counsel: are their jobs at risk over cybersecurity? And I wonder – what if a company does not have in-house counsel, or has turnover in IT? Who else will be held accountable for data breaches?
Various privacy laws are potentially applicable to businesses, employers and sponsors of employee benefit plans, not the least of which is the Health Insurance Portability and Accountability Act (HIPAA). While the specifics of the laws vary, certain basic principles apply across the board. One key principle is that security incidents do not arrive packaged with a pretty bow, and a notice stating “hundreds of millions of your user accounts were just affected.” Incidents can appear innocuous or minor until fully investigated, and it may be challenging to draw distinctions between business decisions and legal decisions. The committee that reviewed the Yahoo matters concluded that the relevant legal staff had sufficient information to warrant substantial further inquiry, but failed to do so. Subsequently, general counsel resigned.
Anyone who could possibly be held accountable for the handling of data breaches should be asking tough questions about data security practices and procedures, including the incident response plan. Don’t know what an incident response plan is, and who is responsible for it? It’s time to find out. It costs a lot less to work with your privacy and data security attorneys to establish good practices and procedures than it does to deal with the aftermath of a hack and insufficient investigation, and your job may depend on it.