By: Karmen Fox, web content editor of ACC Docket

Data breaches are an imminent threat to all companies, no matter the industry. The fear of being hacked is ever-present for in-house counsel. In fact, the ACC Chief Legal Officers 2017 Survey found that the risk of data breaches and protection of corporate data keep 66 percent of CLOs awake at night.

To help in-house counsel rest easy, ACC hosted the “General Counsel’s Role in Cybersecurity Preparedness and Legal Liability from Cybersecurity Exposure” at the 2017 ACC Annual Meeting. The 90-minute session discussed various methods to prevent breaches, and how to respond if one does occur.

The panelists included Melloney Douce, general legal counsel, Rolta AdvizeX Technologies, LLC; William Hochul, general counsel, Delaware North Companies, Inc.; Jennifer Mailander, senior counsel, director, policy & compliance, comScore; and Patricia Mortensen, former general counsel, Franchise Services, Inc.

Monitoring data

Organizing and monitoring your company’s data are critical to prevent a hack. However, not all prevention plans are created equal.

Avoid a “one size fits all” approach, Douce warned. Instead, she recommended, “train only the people who need to be trained on cybersecurity, so that access to the data is limited.”

As for data, the IT and legal departments must monitor the customer’ or clients’ information daily. Douce stressed:

“You should know what data you’re storing, where you’re storing it, and why you’re storing it. That way, if a breach occurs, you know what could potentially be at risk.”

What’s more, Douce pointed out that you should remove the data you don’t need. Keeping nonessential data puts more information at risk, exacerbating the breach and possible negative press.

Build a prevention and response team

One department alone cannot prevent a breach. Instead, protecting your company’s data requires building a strong, interdepartmental prevention and response team. The foundation of this team depends on the trust and communication between the legal and IT departments. “If you’re a GC, you should get to know head of IT department, as well as people who work in the day-to-day,” said Douce.

IT isn’t the only department that should be involved in the prevention and response team. Mailander recommends “meeting with the leads of the IT, operations, and sales departments,” in order to determine who has access to phones and computers, as these are all vulnerable access points for hackers.

According to Mortensen, your internal response team must also include your company’s PR department. These employees should be prepared to speak with the media in case of a breach. If your company doesn’t have a PR department, hire a PR firm.

Law enforcement

Mortensen urged that if “more than 500 personal records are compromised,” then you must contact the law enforcement, beginning with the local police department. If they are unable to help, then contact your local FBI branch or — depending on the severity of the breach — the Department of Homeland Security.

Getting the board on board

Although bolstering a company’s cybersecurity is a necessary investment, some board members are wary about the cost.

Mailander ensured that this is a critical investment for modern companies. “If you’re a tech company, your customer’s data should be top priority,” Mailander said. “In fact, we are all technology companies today.”

Companies that touch their customers’ or clients’ data must create a data breach plan. Otherwise the cost of fixing the breach — and the loss of customer or client trust — will outweigh the initial investment.  

For further reading, download ACC’s White Paper on “What Every GC Needs to Know About Third Party Cyber Diligence.”