Legal Jeopardy: Whose Risk Is It?

SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo Executive Vice President, Global Customer Service and Chief Privacy Officer at Monster Worldwide Michael C. Miller Executive Vice President, General Counsel and Secretary at Monster Worldwide 2

If You Think Cybersecurity Risk Is Not a Significant Issue for Your Company… THINK AGAIN. 3

What industries had the most confirmed, publicly disclosed breaches in 2014? – Public agencies (303) – Financial services (277) – Manufacturing (235) – Accommodation (223) – Retail (164) – Professional Organization (146) – Healthcare (141) 4

What are the security improvement priorities of companies that have experienced a breach? 1.Endpoint Security 2.Employee training 3.Expanded use of encryption 4.Adding manual procedures and security controls 5.Implementing Data Loss Prevention solution 5

OGC Must Play a Key Role in Managing Cyber Risk, from Risk Assessment through Incident Response 6

Name the top reasons that the general counsel's office must be involved in managing cyber risk? – To identify key business risks relating to specific types of sensitive data – PII, PHI, IP (including trade secrets) – To determine what constitutes a "defensible” security control – OGC has a deep understanding of how risk might be affected by an evolving business strategy – OGC has knowledge of third-party relationships and insider risks – To protect the ability to assert a/c privilege and work product protection over cyber risk management activities – To serve as the primary conduit between the incident response team and the executives/board 7

Name the top challenges with establishing OGC’s role in managing cyber risk? – Cyber security still largely viewed as “an IT problem” that should be managed by CIO/CISO – Legal slows down decision-making in an area that requires agility and rapid response – Lawyers lack the technical background to understand risk and mitigation options – Lawyers consulted only on compliance and regulatory issues rather than as advisor on business risk 8

What are the top factors that will reduce the cost of a breach? – Strong security posture – Incident Response Plan in place – Business Continuity Management involvement – Have a CISO 9

OGC’s Role in Educating the Executive Team and Board of Directors 10

What are the key questions counsel should seek to answer through a risk assessment? – What are the critical assets that are most important to protect? – What are the biggest threats to those assets? – What would the legal and business impact be if those assets were compromised? – What are the most effective ways to improve our risk posture? 11

What are the primary ways counsel can contribute to the risk assessment process? – Identifying critical data assets – Anticipating and defining regulatory and compliance obligations – Determining what constitutes a "defensible" security control – Understanding the broader threat environment – Deep understanding of how risk might be affected by an evolving business strategy 12

Name the best arguments for DEFEATING the assertion of privilege protection over a risk assessment. – Assessment not conducted "in anticipation of litigation" – Recommendations in risk assessment report are business advisory not legal advice – Legal may be involved but is not truly directing RA efforts 13

What are the biggest problems with having CISO report to CIO? – Conflict of interest between primary role of CIO (availability and integrity) and CISO (security) – Lack of focus on security in favor of responsibilities viewed as more "important" to the business – Lack of segregated and protected security budget may lead to shift of resources over course of year 14

What should be the board’s role in overseeing cyber risk management? – Must have an accurate and up to date view on the company’s cyber risk profile – Should understand how cybersecurity budget is allocated – Should understand the company’s incident response protocol and determine the point at which the board should be informed of an incident – Board should regularly assess the effectiveness of the company’s cyber risk governance structure 15

What are the top reasons that the GC should direct the IR process? – To help anticipate and manage potential legal/regulatory issues arising from an incident – To protect the ability to assert a/c privilege and work product protection over IR activities – To control internal and external communications in a risk-averse manner – To serve as the primary conduit between the IR team and the execs/board 16

What are the top reasons that the GC should NOT direct the IR process? – Too slow to make decisions – Don't understand the technical aspects of an incident – Not comfortable with the uncertainty and evolving understanding of the facts – Too quick to jump to conclusions 17

What do you fear most in the event of a breach? – Federal agencies (FTC, SEC, DOJ) – State Ags – PCI Council – Civil lawsuits – Reputation damage/customer churn 18

What should you do when you go back to your offices this week? 19

Conclusion Take your CIO/CISO to lunch and talk about the “defensibility” of your company’s cyber risk posture. Review your company’s incident response plan and make sure you are comfortable with counsel’s formal role in the process. Make sure you have ready-access to outside counsel and/or other experts who can help in the event of a cyber incident Check your insurance coverage Ask your executives and board if they are comfortable with the degree of visibility they have into cyber risk issues 20