Speaking at the Governance Institute National Conference in Melbourne in December, a panel of legal and governance professionals explored the role of a company’s legal counsel in the event of a cyber breach.
Dottie Schindlinger, a governance technology evangelist at Diligent Corporation in the US, told the audience: “There’s a statistic that says that when you have a breach, generally speaking it’s an average of nine months before you discover that there’s a breach,” Ms Schindlinger said.
“It can take some time to understand the full scope of the breach and what’s really happened and who’s affected, and you certainly don’t want to frighten customers whose information hasn’t been touched.
“Meanwhile, you may have to be co-ordinating with law enforcement, who may be putting pressure on you not to disclose that there’s been a breach until such time as they’ve done their investigative work, and you may also be required to disclose on a certain timeline based on various regulatory requirements, so you’re very much in the middle, you’re pinched, and I think the best way to prepare for all of this is to practise: have a plan, go through the process of doing some audits around current security practices, have a good policy in place, and make the board practise.
“Have a tabletop exercise at least once a year on what will happen when there’s a breach. It’s not an ‘if’, it’s a ‘when’. Just assume it’s going to happen and prepare and get all your ducks in a row.”
As their purview increasingly extends beyond pure legal work, in-house counsel are becoming central to companies’ cyber security strategies. Ms Schindlinger said it is vital that they ensure the directors understand that cyber security is more than just an issue for the IT department.
“Let’s say we send something to our directors via email: no one in that chain of communication may even know how many different places that information is now actually stored,” she said.
“For example, if a director has a phone and has an iPad and has a computer, and has read that email on all three devices, there are now potentially copies of that same document on all three of those devices, and yet if the customer, whose data is in that document, wants that to be recalled or wants that to be destroyed, how can we actually know whether or not we’ve done a good job of that?
“That’s just one really simple example, but I think what happens with directors is that we need to provide them with a bit more training, coaching and support so that they can be prepared to ask the right questions.”
– Whit Lee, executive director, strategy and legal software solutions, LexisNexis Asia-Pacific
– Susan Bennett, principal, Sibenco Legal & Advisory; director and co-founder, Information Governance ANZ
– Dottie Schindlinger, governance technology evangelist, Diligent Corporation
– Brian Ferreira, vice-president – executive programs ANZ, Gartner