Jennifer Archie is a partner in the Litigation Department of the Washington Office of the global law firm of Latham & Watkins LLP. She has practiced at the firm since 1989. She has extensive litigation, enforcement, and compliance experience on a wide range of privacy and data security matters, including leading responses to complex data breach incidents or government investigations for global professional services, technology or online services, financial services, retail/consumer, and health care organizations.
Christopher Skroupa: What are some key trends or best practices over the last six months in corporate governance in the area of cyber resilience or breach readiness?
Jennifer Archie : First, customizing written data breach response plans to a company’s own structure, operations and even politics is absolutely critical, and cannot be accomplished successfully without hands-on, ground-floor engagement by board members, and the law department. Second, boards and legal advisors need to become more literate, indeed fluent, in the material information security risks for that company. By that I mean, that even these non-technical stakeholders need to know the basics: What is information security, i.e., confidentiality, availability and integrity of data? What are the company’s core digital assets? What are the major threats to the security of those assets? What administrative, physical and technical controls are in place to mitigate those threats? Third, these and other non-IT stakeholders should be testing the written response plans in dynamic, customized table top exercises where responses to realistic, worst case scenarios are rehearsed and discussed.
Skroupa: Why is it important to have the general counsel involved in the response to any major data security incident?
Archie: As you start dealing with potential breaches, you also have to think about what you need to do in anticipation of the legal proceedings that often follow on the heels of these breaches. Today, lawyers for large enterprises must assess and advise on complex multi-jurisdictional notification, investigation, litigation and remedial issues that arise following a major data security incident. Legal advisors play an integral response after a breach in areas such as preserving evidence for criminal, regulatory, or other proceedings, directing the forensic investigation, pursuing insurance claims, and advising on mandatory or voluntary notices to affected parties, regulators or media. Legal advisors should serve a central role in project management following a data breach.
Skroupa: How has the role of legal advisor changed?
Archie: The legal risks associated with data security are growing exponentially, and the legal advisor’s role must not be marginalized; it should be front and center in terms of project management. When a data breach occurs, contracts with customers and vendors have often allocated that liability. Written agreements may also impose expectations explicitly or implicitly as to how the incident will be handled and how the financial consequences of the incident, both direct and indirect, will be allocated up and down the chain of affected parties. In the future, legal counsel must be as much a part of the team as any other member.
Skroupa: What kinds of threats do companies need to prepare for?
Archie: Incidents range from unauthorized network intrusions with unknown impact, to massive disruption or denial of the availability or integrity of data, to large-scale theft of corporate trade secrets or consumer data. More and more what you have is foreign governments taking over the networks of the most benign companies to gather information, so that it will be available down the road. This is something that most general counsel doesn’t think about and yet that’s what we are seeing more often.
Skroupa: What about threats that develop within the company?
Archie: Inside the company you can have malicious actors who have exceeded the expected parameters of their privileges; these are privileged individuals who have been trusted with access and misused the trust, for example, by passing trade secrets to a competitor. Many breach notifications and resulting consequences arise from mislaid documents, laptops, removable media and mistakes that happen while administering expected IT functions, such as changing out a server. Hackers can be in the headlines but your legal headaches will more likely arise from mislaid or mishandled data — the loss of privacy, confidentiality, integrity or availability of those documents can be deemed a very significant issue.
Serhat Cicekoglu, Director of Loyola University Chicago Quinlan, Center for Risk Management adds: “Recent incidents reveal again that company response to emerging cyber threats requires a multi- disciplinary and well orchestrated action plan. General counsel and legal expertise play a significant role in this team effort, especially in helping boards set policy and investment in next level company resilience. It will not only defend the enterprise. It will also help to protect the future of it as well. Companies may want to consider how to best integrate legal counsel into proactive measures needed to be effective in building company resilience.”
On October 14, 2014 , Loyola University Chicago, Quinlan School of Business, Center for Risk Management will host its first Executive Dialogue Series seminar program on Resilience—Big Data and Cyber Security. Continue the discussion with Jennifer Archie, Serhat Cicekoglu, Director of Quinlan’s Center for Risk Management, and a select group of 25-35 company executives and internationally renowned experts on resilience. To inquire about attending contact firstname.lastname@example.org.