Originally published in Corporate Counsel, David Remnitz from Ernst & Young’s global forensic technology and discovery services practice and Timothy Ryan, an Ernst & Young principal in cyber investigations and forensic technology, said general counsel are increasingly becoming the “go-to” people for handling matters arising from data breaches.
“We are seeing chief legal officers and GCs involved as the nucleus, including the chief information officer, the chief risk officer in some instances, often a chief information security officer, and all the way up to the board of directors, along with outside counsel,” Mr Remnitz said.
“In breach response, like any action that carries the possibility of litigation, general counsel better be involved,” added Mr Ryan.
“I frequently say that you can either work on preparing for a breach or you can wait for one to happen, but on breach day you will be enmeshed. Unlike the old days, there is no way that a GC cannot be involved in a breach response,” he said.
Commenting on current trends in cyber security, Mr Ryan said Ernst & Young is seeing an increased awareness of “insider threats”.
“[These are] risks brought by employees, contractors and trusted partners who are misusing information or taking information through inappropriate means for inappropriate purpose,” he said.
“And we are seeing increased hacking by external groups: defacing or disabling public websites, or stealing information of value, such as medical records, intellectual property information and financial data.”
Mr Ryan noted that the company is also seeing larger breaches coming off the back of smaller, unmitigated incidents.
“There are often a series of small steps that go back months or years when the company saw something that needed fixing and it didn't get fixed,” he said.
“Regulators are constantly looking at how companies prepare for a breach.
“A breach alone is not a scarlet letter [to regulators], but failing to prepare for one is. And we're seeing that board members are increasingly concerned about not only risk to the company but also personal liability.”