This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to ISACA CSXNA 2016 in Las Vegas on October 18, 2016.
https://www.isaca.org/cyber-conference/index.html
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.