Due in large part to the sensitivity of information departments have access to and the incomplete cybersecurity regulatory environment impacting their organizations at home and abroad, corporate legal teams have found themselves in the data protection hot seat. A survey released this week by Mayer Brown shows that executives and corporate legal personnel are increasingly worried about the risk associated with cybersecurity, and many hope that regulatory guidance is on the horizon.
Mayer Brown’s survey Perspectives on Cybersecurity and Its Legal Implications was released on April 8, and tapped executives and corporate counsel in 15 industry sectors to discuss cybersecurity.
Archis Parasharami, co-leader of Mayer Brown’s consumer, litigation and class actions practice and a member of its privacy and security practice, told Legaltech News, “Our intention through this survey was to gauge industry concerns and responses in this area. The survey confirms that, as we have gleaned anecdotally from our clients, businesses are deeply concerned about cybersecurity incidents that may lead to the breach of personally identifiable information; are focused on the potential litigation risks from such breaches; and expect and hope for the emergence of national standards providing guidance on data breach notification.”
In response to the specific threats, 63 percent of respondents said the disclosure of personally identifiable information (PII) was the biggest cyberthreat to their companies. Given that regulated industries like health care and insurance have laws that directly address the protection of PII, this is perhaps not surprising.
Perhaps more telling is how corporate team members and executives see cyber-risk impacting their corporate responsibility of mitigating lawsuits. Respondents were asked to assess the extent to which cyberissues increased their risk of litigation, and 57 percent indicated that cyber-risk had a modest impact on litigation risk, and most respondents (63 percent) agreed that cyberincidents and the potential legal fallout had become a “cost of doing business.”
Following major cyberevents at The Home Depot Inc. and Target Corp., customers with compromised PII responded with lawsuits. In March, Target won preliminary approval for a $10 million settlement to address pending class action, but Home Depot and others like Wyndham Worldwide Inc. and Anthem Inc. still face lengthy and expensive court battles as a result of cyberincidents.
“Increasingly, the mindset of businesses has moved from asking “if privacy or cybersecurity issues will affect them” to” when will it happen.” As a result, inside counsel and senior executives are focused on prevention, planning and response to potential privacy and cybersecurity incidents. Moreover, recognizing that not every incident can be prevented despite appropriate preventative efforts, businesses necessarily are thinking about the government investigations and private class actions that are certain to follow,” Parasharami said.
One area that could aid companies in addressing cyberdefenses and compliance strategies could be the addition of more overarching regulation. Eighty-four percent of respondents expect clear national standards on data breach notification to emerge within the next five years.
But even with the promise of better guidelines just over the horizon, those surveyed were pessimistic in the immediate. Twenty-nine percent have a negative outlook on cyber-related issues, and believe that criminals will always be better prepared to break into companies than organizations will be to stop them. Furthermore only 23 percent said that their companies currently had close working relationships with a government enforcement agency or a prosecutorial agency regarding cyber-risk, something that will change dramatically if that five year goal is met.
Reprinted with permission from the April 9, 2015 edition of LegalTech News © 2015 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.