We all are vulnerable to data security breaches, and, as victims, are left to clean up the mess and clear our good names. A variety of personal breaches recently, including my spouse’s identify theft and the hacking of my own LinkedIn profile, have prompted to me to look into the ever-present threat of hackers who illegally access personal data from a number of sources, including credit card companies, retailers, healthcare organizations, and the US government.
In light of my own experiences and the recent extension of data protection laws in the EU (GDPR), I recently asked a number of accomplished GCs one simple question: “How have you, as the GC, been able to influence and bolster privacy and security for your company?” Thank you to all the GCs who participated; following is a summary of their thoughtful responses.
Steps GCs Take to Ensure Data Privacy
- Reinforce Cybersecurity Culture. The company’s culture starts with the GC. For employees to take cybersecurity seriously, the GC needs to be out in front, voicing a strong message about security and how the ramifications would affect the company if a breach transpired. A one-time training session on privacy and security isn’t enough to make employees actively look out for risks. Sending out mock scam emails and even disciplining those that click on them makes the seriousness of data privacy tangible.
- Prevention. Formulating a process for handling a potential security breach or fatal results will ensue that the proper training has been issued to all professionals dealing with highly sensitive or confidential information. GCs especially need to have a plan for when jobs conclude with third party vendors. Requiring that outside counsel destroy your records eliminates risks. Additionally, throughout a job with a third party, safe transport of records through protected email communications or secure file sharing systems is necessary. Plan on regularly testing the integrity of the privacy and security system through intentional attacks.
- Appropriate Funds. Budget cuts need to be focused on areas of the company that are not vulnerable to risks. By making privacy and security compliance part of the corporate culture as referred to in point #1 above, the business executives should support funding a cybersecurity insurance policy. Although taking these measures has proven to be costly, in the end it will prove to be extremely valuable. The GC needs to take action and advocate for the importance of protecting the company’s data and ensure that proper funding is made available.
- Monitor Closely. Even with all these steps in place, there will be a fault in the system caused by hackers or employee error. The GC needs to stay close and work with the Chief Information Security Officer, privacy team, and global information security team so there’s a mutual understanding of changes in privacy & security and know how to identify threats. The network requires heavy surveillance to spot problems and kill them before a major breach takes place. Continuous monitoring is key to letting the GC sleep at night knowing risks will be managed at first detection.
One GC recommends that you ask yourself these questions to determine the soundness of your data privacy program:
- Is IT security a priority for your company and are you willing to pay for it?
- Does your company have state-of-the-art hardware and software and are they monitored continuously?
- Are you working closely with a cyber-liability insurance carrier to implement and maintain best practices?
- Are outside computers allowed to access the company’s network (or Wi-Fi at the corporate office) without being scanned for possible infection?
- Does one person have decision making authority or are decisions made by a committee?
The stakes are high for a security breach and the reputational damage is unmeasurable. Boards require that the GC be data savvy at a minimum, if not tech savvy. This is a critical area where GCs are protecting the reputation and creating a competitive advantage for their company.