Extract from Tim Rollins’s article “3 Best Practices for Preparing a Defensible Breach Response Plan”
The General Counsel’s Role in Data Breach Response
Football teams understand that it’s hard to be a contender without an elite quarterback running their offense. A top-tier quarterback excels at real-time situational awareness, clear communication with key personnel, and making sound decisions that put the team in a position to win.
In a breach situation, the general counsel must serve as the primary signal-caller, ensuring that all of the legal facets of incident response are coordinated across a large and growing set of internal and external stakeholders.
The ACC’s 2021 Chief Legal Officers Survey found that “cybersecurity, compliance, and data privacy top the list as the most important issue areas for businesses rated by CLOs. However, this year for the first time, cybersecurity has overtaken compliance for the number one spot.”
Because the stakes are so high, the general counsel can no longer afford to be passive and react to data incidents and breaches as they happen. Instead, they must be proactively engaged in defining an incident response plan, training the staff to carry out the plan and coordinating the activity during the event. And they need to start now.
New Privacy Challenges for the General Counsel
Beyond navigating through evolving regulatory challenges, the general counsel must also grapple with today’s most pressing cyberthreat — ransomware, and the real possibility that a data breach will expose them to financial penalties for not taking proper care of their customer’s private information. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently ruled that the payment of a ransom might violate federal anti-terrorism laws. This means organizations may find themselves in an impossible position: Either pay up to save your data and risk criminal exposure or face expensive fines for violating data privacy laws.
