View points

Combating cybercrime: The general counsel’s role

Cybercrime is rising. Estimates of losses from intellectual property and data theft range as high as $1 trillion.¹ Last year, a criminal hacker was sentenced to 20 years in prison for stealing more than 170 million credit and debit card numbers, making it the largest identity theft case the Department of Justice has ever prosecuted.²

With legal risks high, companies have to be diligent whenever a system is breached. Yet according to a recent report, the general counsel is often the last person to find out about a cybercrime.³

Cyberattacks aren’t just an information technology (IT) matter. Legal obligations, damages to the organization, and business relations with customers are all reasons that the general counsel must act promptly when a company’s systems have become compromised. This means acting after a breach is detected, not merely after data are actually stolen. Also, special rights exist for cybercrime victims if the victimized company initially investigates after a breach occurs. For instance, employers can obtain injunctive relief against former employees who improperly access a company’s digital information.

General counsel can play a pivotal role in protecting an organization if they are first—rather than last—on the cybercrime scene.
Many times, general counsel isn’t even aware that a company’s systems have been compromised, which puts the business at risk for litigation and fines. Why are they often in the dark? Although IT professionals are usually the first to know when a breach occurs, they might not report the breach within the organization for fear of losing their jobs. And when the general counsel becomes aware of the system breach too late and investigations have already occurred, companies lose out on a privileged status, which helps protect breached companies if they get sued by external parties or investigated by regulators.

Facing cyberthreats doesn’t have to be daunting. Acting in a timely way and creating better communication avenues with IT staff can lessen the risks associated with compromised information systems. General counsel can become better equipped to deal with cybercrime by learning more about technology trends, by establishing an information security council, by developing a response plan that includes periodic testing and clear guidelines on how to respond and when, and by having a cyber forensic investigator on retainer.

There is no doubt that cyberattacks can be detrimental to a company and its reputation. But general counsel can play a pivotal role in protecting an organization if they are first—rather than last—on the cybercrime scene.

1 http://www.whitehouse.gov/assets/documents/Cyberspace_ Policy_Review_final.pdf.

2 http://www.justice.gov/usao/nj/press/press/files/pdffiles/ dojgonzalez0326rel.pdf.

3 PwC, Why cybercrime matters to general counsel, February 2011.