Follow ACC Docket Online:  

Stopping a Hack: How to Prevent and Respond to a Data Breach

D ata breaches are an imminent threat to all companies, no matter the industry. The fear of being hacked is ever-present for in-house counsel. In fact, the ACC Chief Legal Officers 2017 Survey found that the risk of data breaches and protection of corporate data keep 66 percent of CLOs awake at night.

To help in-house counsel rest easy, ACC hosted the “General Counsel’s Role in Cybersecurity Preparedness and Legal Liability from Cybersecurity Exposure” at the 2017 ACC Annual Meeting. The 90-minute session discussed various methods to prevent breaches, and how to respond if one does occur.

The panelists included Melloney Douce, general legal counsel, Rolta AdvizeX Technologies, LLC; William Hochul, general counsel, Delaware North Companies, Inc.; Jennifer Mailander, senior counsel, director, policy & compliance, comScore; and Patricia Mortensen, former general counsel, Franchise Services, Inc.

Monitoring data

Organizing and monitoring your company’s data are critical to prevent a hack. However, not all prevention plans are created equal.

Avoid a “one size fits all” approach, Douce warned. Instead, she recommended, “train only the people who need to be trained on cybersecurity, so that access to the data is limited.”

As for data, the IT and legal departments must monitor the customer’ or clients’ information daily. Douce stressed:
“You should know what data you’re storing, where you’re storing it, and why you’re storing it. That way, if a breach occurs, you know what could potentially be at risk.”
What’s more, Douce pointed out that you should remove the data you don’t need. Keeping nonessential data puts more information at risk, exacerbating the breach and possible negative press.

Build a prevention and response team

One department alone cannot prevent a breach. Instead, protecting your company’s data requires building a strong, interdepartmental prevention and response team. The foundation of this team depends on the trust and communication between the legal and IT departments. “If you’re a GC, you should get to know head of IT department, as well as people who work in the day-to-day,” said Douce.

IT isn’t the only department that should be involved in the prevention and response team. Mailander recommends “meeting with the leads of the IT, operations, and sales departments,” in order to determine who has access to phones and computers, as these are all vulnerable access points for hackers.

According to Mortensen, your internal response team must also include your company’s PR department. These employees should be prepared to speak with the media in case of a breach. If your company doesn’t have a PR department, hire a PR firm.

Law enforcement

Mortensen urged that if “more than 500 personal records are compromised,” then you must contact the law enforcement, beginning with the local police department. If they are unable to help, then contact your local FBI branch or — depending on the severity of the breach — the Department of Homeland Security.

Getting the board on board

Although bolstering a company’s cybersecurity is a necessary investment, some board members are wary about the cost.

Mailander ensured that this is a critical investment for modern companies. “If you’re a tech company, your customer’s data should be top priority,” Mailander said. “In fact, we are all technology companies today.”

Companies that touch their customers’ or clients’ data must create a data breach plan. Otherwise the cost of fixing the breach — and the loss of customer or client trust — will outweigh the initial investment.

For more information about the ACC Annual Meeting, click here.

About the Author

Karmen Fox is the web content editor of ACC Docket.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.