Each year brings a data breach that affects more and more people; each breach also brings larger fines for companies who failed to protect information. Companies have tried to address cybersecurity risks with varying results. Meanwhile, the $120 billion cybersecurity industry pushes an array of products to address cybersecurity risks both real and imagined. Instead of purchasing gizmos, executive leadership should rely on legal counsel to help define their legal risks and draft policies and procedures to minimize those risks.

Regulatory environment

At first glance, it may seem odd to solve cybersecurity problems with lawyers, but regulators don’t care if a company spends thousands of dollars on cutting-edge cybersecurity technology. Regulators analyze whether the circumstances leading to a data breach violate state, national or international law. Accordingly, cybersecurity is a legal problem that stems from a fiduciary duty of care; numerous state, national and international laws; and contractual obligations.

Executives and board members owe a fiduciary duty of care to the companies they serve. Failing to carry out those duties can impose personal—and potentially uninsurable—lawsuits. Under the duty of care, executives and board members must act on an informed basis, in good faith and in the honest belief that their actions are in their company’s best interests. Executives and board members cannot ignore cybersecurity problems; instead, they must act reasonably so they can protect shareholders’ interests.

State, national, and international laws increasingly regulate how companies process information. On the state level, 48 states have data breach notification laws. Most of those laws simply explain how to notify individuals affected by a data breach while others go further. Utah, for example, requires “any person who conducts business in the state … [to] implement and maintain reasonable procedures to: prevent unlawful use or disclosure of personal information … ” In other words, operating without appropriate policies and procedures runs the risk of violating the law.

In the federal regulatory environment, organizations who work in industries such as health care, banking, insurance, finance, education and telecommunications face a plethora of cybersecurity obligations. For example, in the health care environment, federal law requires health care entities to implement specific privacy and security policies. Failing to do so can incur millions in fines, consumer anger and months of audits with disruptive regulators.

Internationally, most countries enforce strict privacy and security laws. Where the United States regulates privacy by sector, most countries outside the United States regulate privacy and security comprehensively. Accordingly, most countries illegalize the international transfer of information without following certain processes; require a legal basis to process consumer information; and impose steep fines for failing to comply. For example, in 2018, the European Union can fine companies the greater of €20,000,000 or 4 percent of international revenues.

Another source of legal risk comes from contractual obligations which require compliance with privacy and security laws. For example, contracts may require business partners to comply with HIPAA, the Gramm Leach Bliley Act, the Communications Act, or privacy and security laws in general.

Creating a policy

Once executives and board members understand their privacy and security obligations, their legal counsel should draft applicable policies and procedures. At minimum, the policies should explain how the company governs privacy and security matters; the physical, technological and administrative security measures to prevent data breaches; and the incident response process.

With regard to governance, a designated executive should provide regular reports to the board about security assessment results, progress on addressing security matters, audits of the security system, privacy and security awareness campaigns, and data breach incidents. Executives and board members should have an opportunity to review these items, recommend solutions and communicate regular privacy directives to employees.

In line with the duty of care, executives and board members must reasonably address privacy and security issues raised during these meetings. If executives and board members fail to hold these meetings, they may breach their fiduciary obligations to the company.

Policies must set the company’s security framework for physical and technological security. There are numerous security frameworks to choose from but the most common are ISO’s 27001 standard, NIST Cybersecurity Framework and the Center for Internet Security’s 20 Critical Controls. Of these standards, the Center for Internet Security’s 20 Critical Controls are the most approachable. They’re free, available online and provide a reasonable level of protection without breaking the budget.

Finally, policies should flesh out an incident response process. Without it, companies can waste thousands of dollars without properly addressing incidents. The incident response process should designate an incident response coordinator who fills out an incident report, reports the incident to executives and works with various departments to resolve the incident. Critically, the process should incorporate legal counsel who can protect matters discussed during the incident with the attorney-client privilege.

No company wants to lose their customers’ information. No company wants to pay a fine or lose business because of a data breach. Instead of buying gadgets to solve obscure cybersecurity problems, companies should engage legal counsel who can define the legal problem and draft policies and procedures to minimize risks.

Tsutomu Johnson is an attorney at Parsons Behle & Latimer who specializes in cybersecurity and privacy law. He has helped multinational organizations draft privacy and security policies, negotiated numerous privacy and security contracts and helped hundreds of incident response teams respond to cybersecurity events.