Cybersecurity risk management requires proper due diligence on the company’s cybersecurity program. This is an important aspect because the company’s executives owe a fiduciary duty towards their shareholders and customers. In other words, a company’s manager or director should take every reasonable measure to ensure the safety and security of the company’s intellectual properties, trade secrets, and other sensitive or confidential information. As such, a claim or cause of action for breach of fiduciary duty can seriously hinder business operations and should be avoided by any means necessary.
We recommend properly assessing internal and external threats such as disgruntled employees or third-party contractors who were given access to the computer network system. It’s certainly possible for a disgruntled employee to insert a flash drive which yields malware into the network server to cause a malfunction. Therefore, it is important to have the right security measures implemented on the computer network system. For example, our cybersecurity lawyers recommend installing an Intrusion Detection System (“IDS”) to detect unauthorized access to sensitive or confidential files. It is important to review and understand the laws related to workplace monitoring because it could trigger workplace privacy right violations. There are state and federal laws that would impact the legal rights and responsibilities of employers and employees so it’s important to understand them. In fact, companies that fall under the definition of “critical infrastructure” organizations pursuant to Executive Order 13636 should consider implementing insider threat programs as a precautionary measure.
It’s recommended to have an enterprise risk assessment program that involves cybersecurity experts and lawyers. These computer and legal experts should join forces to establish a program that addresses the key issues – e.g., data privacy, data protection, insider threats, breach notification protocols. It’s important to have a plan before the so-called “cyber incident” so the key players will know their responsibilities. This way, when an incident takes place, there will be a preexisting protocol for everyone. Moreover, having access to a cybersecurity attorney is crucial to the company’s legal and ethical responsibilities. Our law firm advises its clients regarding the relevant state, federal, and international rules and regulations as we have the necessary background and expertise in internet, technology, and cybersecurity laws.
We work with computer and information technology experts who have the necessary experience to advise our clients regarding cybersecurity programs. We have established a good relationship with these experts which could allow us to assist our clients when they need to implement or evaluate their cybersecurity programs. For example, it’s important to consider previous cyber incidents when conducting due diligence. This way, the company, and its executive officers, will understand the nature and extent of previous cyber incidents which have affected other companies. We believe that, with experience, comes a certain amount of invaluable knowledge and expertise. Our cybersecurity lawyers communicate with computer and information technology experts on a regular basis to gain access to updated information. This way, we can help clients avoid being sanctioned by government regulators and agencies.
There has been a significant amount of changes in cybersecurity rules and regulations. The state and federal legislators are being challenged with keeping up with the technological advancements and learning of their impacts on the regulatory schemes. For example, one problem may be that the laws are not uniform across the board, and as such, may cause confusion. Therefore, it’s important to speak with legal counsel who knows and understands the legal and technical issues.
Moreover, state and federal government agencies – e.g., FTC, SEC – are focusing more in cybersecurity. We always recommend carefully reviewing the company’s insurance policies. It’s also important to avoid unlawful or unauthorized disclosure of private or confidential information to third parties – e.g., Facebook settled a case with the SEC for disclosing personal information to a third-party company without authorization.