Jennifer Archie is a litigation partner in the Washington, D.C. office of Latham & Watkins. She possesses broad investigations, litigation, and counseling experience advising clients from emerging companies to global enterprises across all market sectors in matters involving computer fraud and cybercrime, privacy/data security compliance and program management, advertising and marketing practices, information governance, consumer fraud, and employment and trade secrets.  She has particular experience defending clients in FTC and state consumer protection investigations and preparing for and leading the response to complex and large-scale data breach incidents.

Christopher Skroupa: Why is it crucial for companies to establish a board priority and review of its data security?

Jennifer Archie: Boards need to build and sustain cybersecurity oversight into their overall risk and resilience strategies immediately.  Data risk is an every business risk in today’s digitized and automated corporate environments.  Boards set the tone at the top and the expectations for the level of care and resources to be allocated to this particular corporate risk.  The SEC, shareholders, customers, regulators, state and local consumer protection or other enforcement authorities all demand that Boards engage in active and dynamic oversight in this area. Furthermore, the needle on what is an adequate level of engagement is moving all the time.  This is not a once a year agenda item, or a subcommittee only sort of exercise, for most businesses.  Boards need to pay particular attention to crisis preparation and response, whether outside experts have been pre-staged to deal with a data-crisis, whether the insurance program is in place, whether the right management team is in place in light of the data assets and threats.  Directors should have access to meaningful metrics and information about threats and incidents.

Skroupa: What should directors and officers assessing or designing plans for breach response be thinking about?

Archie:  So many of the incident or crisis response plans we see are generic, almost cut and paste, with some names and phone numbers typed in.  If a breach actually happens, these sorts of  untested templated plans fall short and have little practical utility other than being able to tell a regulator that “yes, we had a plan.” What is useful is this: a dynamic, cross-functional crisis management plan, tailored to the company’s actual data threats, with customized points of escalation, that seamlessly bolts onto the IT group’s technical Incident Response plan, and very importantly, that has been rehearsed regularly in response to real world, non-commodity threats and scenarios, and continuously optimized rather than left on a shared drive someplace.

Skroupa: What are some ways Legal Departments in particular ought to be preparing for attacks?

Archie: The Legal Department in large enterprises in particular really would benefit from its own plan within a plan.  In addition to the General Counsel and outside counsel, in a large organization, sub-specialists within the department have unique roles as well, such as running parallel privileged internal investigations to  understand what happened and why (especially in insider cases), advising on risk and exposure to adverse third party investigations or proceedings, liaising with law enforcement, conducting the dialogue with regulators or legislators, communicating with  affected business partners within the bounds of prior agreements, advising on SEC reporting obligations, and many other discreet areas.Law departments ought to maintain centralized contract databases, which ideally catalogue breach-related terms on notification triggers, cooperation and reporting obligations, control, indemnity, adherence to security standards or standards of care, and the like.  In complex breach scenarios, we are sometimes asked to analyze dozens, even hundreds, of vendor or customer arrangements to advise on these terms.  Finally, geography matters for lawyers.  We cannot stress enough the value of speaking to attorneys barred and practicing in the key jurisdictions.  We have sometimes seen mistakes happen where attorneys who don’t specialize or actually practice in a given location or field advise on how to interact with regulators, what to say, and when to say it.  There’s no substitute for expertise.  This means law departments need to have a crisis plan that identifies whom to call outside the company for advice in important jurisdictions.  Notification requirements should be collected and summarized in advance, and kept up to date, internally or through outside counsel.

Skroupa:  What are some lessons learned from major breaches for the steering committees or other leaders of the crisis response, post-breach?

Archie:  Data breaches are a uniquely challenging form of crisis in many ways.  First, key facts change on you daily, even hourly, in terms of who was affected and how, when the attack started, whether it was avoidable through reasonable measures, and the list goes on.  They are incredibly hard to scope at the outset.  What seems like a terrible crisis resolves without any legal obligations to notify or any material fall-out.  Or, alternatively, what seems a small HR matter mushrooms into a major insider problem, with loss of secrecy of critical company data.  The best crisis response teams therefore operate in a repeating cycle, in our experience.  The “Groundhog Day” strategy, we’ve dubbed it.  Every day, the same questions are posed, often yielding new answers, judgments, and actions in the real world.  What happened?  What data is affected?  Who are the external stakeholders?  Are notifications required by law or otherwise advisable?  What is the content of any internal or external notifications?

Skroupa:  What are some data risks that companies struggle to manage well?

Archie:  Getting your arms around the third party risks – vendors and customers – is incredibly hard for most organizations.  First, where do you get the manpower (expertise and hours) to properly diligence your key outsourced or hosted technology vendors who store or access payroll, sales, payments, corporate communications and other sensitive data sets?  Second, there are conflicting interests and realities among procurement, legal, IT, and business units in setting the legal terms in place.  The Legal Department has every good legal reason to push out strict standard security clauses to all vendors handling security data. Sometimes these form clauses are not backed up on the inside with lawyers who really understand the real world risks and protection offered by the standard clauses, so negotiation – knowing where to compromise  – is hard.  In the financial and healthcare sectors, regulatory requirements or guidance mandate this.  However, the providers push back on indemnity, cooperation, access to audits, notification triggers and many key clauses.  These conflicts can delay even acquisition and deployment of security enhancements needed to remediate known vulnerabilities, which can be very frustrating to the IT department.  In large organizations, the temptation to engage in “zero sum” conflicts over form language can be hard to resist.  A stronger approach  is to have a teaming approach, where, for example, these objectives are surfaced on the front end (not the day before the quarter ends and the deal has to sign), and where experts on the team can distinguish which protections are material to which vendor relationships, whether the terms are in fact take it or leave it as they are in some industry sectors, and whether there are alternative means to mitigate risk (data minimization, insurance, and many others).