This requires a holistic view drawn from key stakeholders across departments and disciplines. It also warrants tough debate on enterprise priorities and resources. Companies rarely get it 100% right. But they enhance their chances of doing so through structures and processes that account for the critical interplay between governance (input and accountability), operations (practical business considerations and capabilities), and controls (technical, physical, and administrative)—in that order.
At the end of the day, the goal is clear: to appropriately assess and mitigate risk to the enterprise and its key stakeholders. Unfortunately, that risk increasingly includes the potential for enforcement by a regulatory agency and/or the plaintiffs’ bar. Nearly every U.S. state and federal agency has cyber at the top of its agenda. And statutes such as the California Consumer Privacy Act of 20181 portend a next-generation of laws that will inject statutory breach damages into the mix—ostensibly eliminating the need to show any actual harm to consumers, similar to other statutes with unbalanced punitive consequences like the TCPA.2 Substantial fines and penalties, brand and reputational damage, and a host of other liabilities, including for directors and officers, are squarely on the table for the foreseeable future.
Against this backdrop, there is no “easy button” to push—but there are certainly some easy wins. And while there is no such thing as perfect security, there are some steps that make perfect sense. Our hope is that shared, common experiences and insight might help lawyers to positively influence the management and mitigation of cyber risk. In that regard, this article offers some lessons learned from the trenches in the form of seven actions that can help your company down the road.
Cyber risk is constantly evolving, intensifying the enforcement risk that companies face from both regulators and private litigants. As lawyers are increasingly involved in proactive risk management, our hope is that at least some of the “easier” wins discussed in this article allow counsel to add value to the process. Of course, there is never enough time, enough money, or enough people to do everything. But prioritized, targeted work holds the best potential for mitigating cyber risk for the enterprise and its stakeholders.
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
1 The CCPA provides that any consumer whose non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to security failures on the company’s part can sue “to recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater.” CAL. CIV. CODE § 1798.100 et seq.
2 The Telephone Consumer Protection Act (TCPA) provides a private right of action for “actual monetary loss from such a violation [or] $500 in damages for each such violation, whichever is greater.” 47 U.S.C. § 227(b)(3) (also providing for trebling of damages if a court finds willful or knowing violations).