News

How Legal Departments Can Help Define A Company’s Cybersecurity Benchmarks

December 27, 2021

This article by Tariq Akbar, LegalEase Solutions, was published on December 27, 2021 on Forbes.com

In today’s electronically driven business environment, everybody is under the threat of a cyberattack. As technology has advanced, cybersecurity evolved from a nice-to-have functionality to an essential tool in corporations’ technical arsenals.

It is not hard to see why: Verizon’s 2021 Data Breach Investigations Report (registration required) revealed that global companies confronted 79,635 suspected cyber incident cases in 2020 alone. Of these cases, 5,258 were confirmed data breach incidents. Even law firms are not immune to these pressures, as 29% of law firms experienced at least one data security breach in 2020, according to a report by the American Bar Association. This figure is up from 26% in 2019.

As the pandemic has influenced more businesses to move their operations into the cloud, organizations will need to take the necessary steps to build up their safeguards and incident response strategies. However, companies wading through the alphabet soup that describes today’s privacy regulatory environment will find no uniform guidance on the specific standards companies should be following to protect consumer data. This lack of direction is problematic for companies, especially those that must balance multiple privacy regulations.

Consider the General Data Protection Regulation and California Consumer Privacy Act, for example. Experts have touted both as helpful barometers for companies since they represent the most stringent privacy standards on both sides of the Atlantic. However, even these supposedly similar laws have their distinct differences, including different definitions and enforceability triggers. For example, the CCPA requires businesses to honor do-not-sell requests for consumer data, while its European counterpart “does not include a specific right to opt-out of personal data sales,” according to Practical Law. Alternatively, the GDPR requires companies to obtain parental consent for all processing consent requests for minors’ data, while the CCPA mandates parental consent for personal sales of minors’ data.

My company helps law firms and corporations navigate the regulatory and compliance environment. Through this, I’ve seen that as global companies and firms balance their privacy responsibilities, many are encountering challenges in managing their liabilities in transactions and consumer data initiatives. These uncertainties have crept into service level agreement negotiations with supply chain and business partners. Today, it is not unusual for companies to sign unlimited cybersecurity liability clauses in their SLAs with business partners. It is a peculiar strategy that I’ve found is surprisingly common with tech-centered SLAs.

It is true that not all data is the same, and not all data includes the types of personally identifiable information that most data privacy laws cover. Still, I’ve observed vendors and companies often agree to assume broad liability for data and security incidents, primarily to avoid piecemeal negotiations on data security standards as their services expand. Many also agree to these clauses over uncertainties regarding the types of data they would conceivably handle for the duration of their business relationships.

In light of these clauses and tactics, what cybersecurity measures and safeguards are sufficient to ensure full protection? To answer this, we can simplify a business’s data privacy concerns into two camps. The first area is the client-side considerations that consumer data privacy laws address, while the other entails security measures for business operations. These latter measures address safeguards for securing proprietary business data, including trade secrets and confidential materials, away from the public. While there are nuances to both areas, each requires a different security approach.

Companies ultimately will need to factor in one set of standards that protects the servers hosting users’ data and another set that addresses the safety and integrity of their IT systems and business information. Therefore, companies will need to weigh different minimum requirements, reliable confidence levels and baseline capabilities when protecting data from internal and external liabilities. 

Fortunately, the legal function can work in tandem with a company’s compliance and IT departments to benchmark their organization’s safeguards and cybersecurity capabilities. The questions they will ultimately need to address can be boiled down to the following:

  1. What compliance requirements should the enterprise be following?
  2. Are there applicable agency certification procedures that can help guide the organization’s security initiatives?
  3. How can the company limit its liability to other partners?

Ultimately, general counsels do not need to get too involved with implementing and auditing the company’s actual safeguards and protocols. Compliance should be working with IT to ensure all internal processes and safeguards are compliant with applicable regulations. However, these departments’ jobs should not extend to determining how the company controls and manages its liability to vendors and clients. That responsibility will fall to legal.

GCs can pursue several strategies in their negotiations regarding delegating and relegating risk. The first step will be to work out the answers to some simple but essential questions: How will the parties define the terms “data,” “PII” and “breach”? Comprehensive limitation of liability clauses will not necessarily be appropriate, as electronically stored trade secret data would be entitled to different protections than a consumer’s PII. GCs and their outside counsel should ideally hold internal discussions and pursue open dialogues with their business and supply chain partners. As they do so, they should gauge what data they will be handling, how parties will be interacting with this data and the risk profiles tied to this data. From there, legal can develop playbooks to establish baseline security standards that cover the company’s interests.

Some examples of tactics GCs might consider include: 

  • Accepting liability in low-risk breach scenarios.
  • Requesting different liability standards for different types of data.
  • Limiting liability to notification costs as opposed to all losses.
  • Mandating that liability would only accrue if the company failed to take certain precautionary measures or install specific safeguards.
  • Limiting pass-through indemnification and liabilities dependent on third-party vendor activities.

Once legal has solidified its strategy and weighed all possible security considerations and regulations, it can then consult with compliance and IT on ways to bring the organization’s data security and cybersecurity safeguards into compliance. 

Until global governments and industries agree on baseline standards that all companies can follow, it is up to company leaders to drive privacy standards. Here, legal is in a prime position to make an impact.

Tariq Akbar,
Chief Executive Officer, LegalEase Solutions tariq.akbar@legaleasesolutions.com

Print Friendly, PDF & Email

LegalEase