2014 brought companies like Sony Pictures Entertainment Inc., Domino’s Pizza, eBay Inc., and the US Postal Service to the front page news as victims of cyber hacking. The reality is that cyber hacking is costing companies not only a headache and their reputation, but a whole lot of money. Despite statistics that show over $445 billion spent on cybercrime worldwide annually, many companies have not come to terms with reality. As the risks resulting from cyber are increasing, risk managers must guide the board of directors and CEO to provide active oversight to assure that their enterprises have prudently taken all reasonable measures to protect themselves. The SEC has sharpened its focus on cyber security preparedness, including the regulation of disclosure by public companies to address cyber security as a material risk that needs to be fully disclosed. If these risks are regularly disclosed and a company has legally insufficient protections, lawsuits presenting substantial risk are sure to follow.
To effectively do their job, risk managers and cyber attorneys today must fully understand all the technological implications of cyber security. Absent full understanding of cyber technology, both are ill-equipped to properly advise and protect companies regarding the legal and regulatory issues involved. The issues are multiplying and complex, ranging from compliance with government and industry regulatory bodies to litigation arising from lawsuits by a number of actors and corporate partners whose personal data has been lost, compromised, and/or held hostage. This article addresses a number of central issues that risk managers must make sure their cyber attorneys are able to resolve to protect against substantial liabilities. Risk managers must significantly change their behavior to help guide his or her company in taking necessary and prudent steps to protect against the vast legal liabilities cyber presents.