Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
Dec. 9 — Though companies are increasing their spending on cybersecurity, not all are likely to reach out to law enforcement when there is a breach.
That's according to a survey conducted by the Association of Corporate Counsel (ACC) and attorneys who practice in the area of cyber threats.
“Many companies may not appreciate that law enforcement is there to help—not only that company but the greater industry,” Shawn Cheadle, attorney for Lockheed Martin Space Systems Inc. and chair of ACC's information governance, told Bloomberg BNA in an interview Dec. 9.
“The State of Cybersecurity Report,” released Dec. 9 by ACC, polled more than 1,000 in-house counsel at 8,887 organizations in 30 countries. Over half of the respondents said that their companies had increased their spending to protect against cyber breaches. One-third said that their companies had experience a data breach, and employee error was the most common reason for breaches, the report said.
Corporate lawyers in the retail industry are most likely to report that they proactively collaborate with law enforcement or other government agencies to address cybersecurity risks, the report said.
Philip N. Yannella, partner in the Philadelphia office of Ballard Spahr LLP who helped draft the report, told Bloomberg BNA by e-mail Dec. 9 that retailers may appear more willing to report collaborating with law enforcement because the industry has been most heavily targeted by hackers.
“These companies have faced public criticism over their failure to report the data breach earlier,” he said. “By reporting that they are working with law enforcement agencies, companies may be hoping to allay concerns that the company was somehow sitting on its hands while the customer data was being potentially misused when, in fact, they were actively working with law enforcement to identify the cause of the breach.”
Many incidents may not rise to the level that companies feel collaboration with law enforcement is necessary, Yannella said.
If the breach has an indicia of criminal activity or a “suggestion that a state actor may be involved,” then companies are more likely to contact the government, he said.
In fact, reporting to law enforcement could, in certain cases, create an impression that the breach is more serious than it really is, he added.
“Consider, for example, a company which is contacted by law enforcement and told that known state actors may have been attempting to penetrate the company's firewalls and access proprietary information,” he said. “That company might be reluctant to report the collaboration with law enforcement if the malicious conduct was unsuccessful and didn’t trigger any regulatory reporting.”
Government agencies, such as the FBI, can provide a great deal of help to a corporation that finds itself with a significant breach on its hands, so companies should give careful consideration to asking for assistance, Cheadle said.
“Law enforcement can bring tremendous forensics and skilled personnel adept at following hacks and data breach paths,” he said. “Often, law enforcement is not involved in regulatory investigations” but wants to partner with industry and create cybersecurity awareness “in an attempt to prevent or mitigate the most invasive data breaches.”
Companies that lack reasonable protections and cyber protocols may be more susceptible to regulatory scrutiny, he added.
While employee error is the most common cause of a breach, less than half of in-house counsel responding to the ACC survey reported that mandatory training exists at their company.
Fewer still say their companies track or test employee knowledge in cybersecurity, the report said.
Cheadle said he hoped the findings of the survey would educate general counsels to be more proactive in this area.
“With the knowledge that insider threats are the most pervasive, companies can now begin to get in front of the issue and train employees,” he said, suggesting that companies execute non-disclosure agreements with employees and implement international protections.
Those protections may include closed access to home e-mail systems, implementation of social media policies, using encryption software and limiting or prohibiting thumb-drive usage, he said.
To contact the reporter on this story: Che Odom in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Yin Wilczek at email@example.com
The “State of Cybersecurity Report” is available at http://www.acc.com/legalresources/resource.cfm?show=1416923.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)