In recent years, the Federal Trade Commission (FTC) has increased its cyber-efforts to hold companies accountable for data breaches. On December 12, 2013, FTC Chairwoman Edith Ramirez promoted the idea of a new federal cyber-law that would require companies to notify consumers in the event of a data breach. Ramirez also wants the FTC to have the authority to impose civil penalties on the non-compliant companies.
This indication of greater federal government oversight and enforcement only heightens the already high legal and operational risks imposed on U.S. companies in the area of cybersecurity. According to a recent study, the average cost of cyber-attacks to 60 major U.S. companies equaled $11.5 million in 2013, up 26 percent from 2012.
The FTC’s efforts come on the heels of the Administration’s efforts to promote robust cybersecurity standards. The Cybersecurity Framework, mandated by Executive Order 13636, is scheduled to be released in final, “first-version” form in February 2014 as a voluntary, private-sector-led initiative.
Companies, and general counsel, should review the following on an annual basis to reduce the risk of civil and criminal fines and lawsuits:
Data breach preparedness and response plans: should include enterprise-wide (including legal) involvement and be up-to-date with federal, state, and international cyber laws
Supply chain and business partner agreements: should include cyber-provisions, such as indemnification from cyber lawsuits and fines, and audit rights of a business partner’s cyber-strength to ensure the company’s trade secret and consumer data is protected
Due diligence checklists: should include cybersecurity considerations to be aware of risks that may be inherited through acquisitions
These considerations highlight only a handful of areas that should be reviewed in light of increased cybersecurity oversight, and the associated operational and legal costs and risks.