Companies Up Cyber Spending But Many Shy From Enforcers

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Che Odom

Dec. 9 — Though companies are increasing their spending on cybersecurity, not all are likely to reach out to law enforcement when there is a breach.

That's according to a survey conducted by the Association of Corporate Counsel (ACC) and attorneys who practice in the area of cyber threats.

“Many companies may not appreciate that law enforcement is there to help—not only that company but the greater industry,” Shawn Cheadle, attorney for Lockheed Martin Space Systems Inc. and chair of ACC's information governance, told Bloomberg BNA in an interview Dec. 9.

“The State of Cybersecurity Report,” released Dec. 9 by ACC, polled more than 1,000 in-house counsel at 8,887 organizations in 30 countries. Over half of the respondents said that their companies had increased their spending to protect against cyber breaches. One-third said that their companies had experience a data breach, and employee error was the most common reason for breaches, the report said.

Retailers Tap Law Enforcement

Corporate lawyers in the retail industry are most likely to report that they proactively collaborate with law enforcement or other government agencies to address cybersecurity risks, the report said.

Philip N. Yannella, partner in the Philadelphia office of Ballard Spahr LLP who helped draft the report, told Bloomberg BNA by e-mail Dec. 9 that retailers may appear more willing to report collaborating with law enforcement because the industry has been most heavily targeted by hackers.

“These companies have faced public criticism over their failure to report the data breach earlier,” he said. “By reporting that they are working with law enforcement agencies, companies may be hoping to allay concerns that the company was somehow sitting on its hands while the customer data was being potentially misused when, in fact, they were actively working with law enforcement to identify the cause of the breach.”

Why Not Report?

Many incidents may not rise to the level that companies feel collaboration with law enforcement is necessary, Yannella said.

If the breach has an indicia of criminal activity or a “suggestion that a state actor may be involved,” then companies are more likely to contact the government, he said.

In fact, reporting to law enforcement could, in certain cases, create an impression that the breach is more serious than it really is, he added.

“Consider, for example, a company which is contacted by law enforcement and told that known state actors may have been attempting to penetrate the company's firewalls and access proprietary information,” he said. “That company might be reluctant to report the collaboration with law enforcement if the malicious conduct was unsuccessful and didn’t trigger any regulatory reporting.”

Government Can Help

Government agencies, such as the FBI, can provide a great deal of help to a corporation that finds itself with a significant breach on its hands, so companies should give careful consideration to asking for assistance, Cheadle said.

“Law enforcement can bring tremendous forensics and skilled personnel adept at following hacks and data breach paths,” he said. “Often, law enforcement is not involved in regulatory investigations” but wants to partner with industry and create cybersecurity awareness “in an attempt to prevent or mitigate the most invasive data breaches.”

Companies that lack reasonable protections and cyber protocols may be more susceptible to regulatory scrutiny, he added.

Tabs on Employees

While employee error is the most common cause of a breach, less than half of in-house counsel responding to the ACC survey reported that mandatory training exists at their company.

Fewer still say their companies track or test employee knowledge in cybersecurity, the report said.

Cheadle said he hoped the findings of the survey would educate general counsels to be more proactive in this area.

“With the knowledge that insider threats are the most pervasive, companies can now begin to get in front of the issue and train employees,” he said, suggesting that companies execute non-disclosure agreements with employees and implement international protections.

Those protections may include closed access to home e-mail systems, implementation of social media policies, using encryption software and limiting or prohibiting thumb-drive usage, he said.

To contact the reporter on this story: Che Odom in Washington at

To contact the editor responsible for this story: Yin Wilczek at

The “State of Cybersecurity Report” is available at