For the first time data security is the most prevalent concern among both corporate general counsel and directors, according to the 2012 “Law and the Boardroom” survey by FTI Consulting and Corporate Board Member. Data security ranked higher than even operational risk or loss of reputation.
The reasons why cybersecurity weighs so heavily on the minds of business executives are simple: the risk is difficult to manage, expensive and pervasive. A surprising finding of the survey was that, despite their awareness of this risk, fewer than half of public companies surveyed had a crisis management plan for responding to a cyber attack.
Corporate Counsel magazine recently highlighted the severity of cybersecurity risks, asking why corporate counsels and boards are so ineffective at managing this known risk. A recent report by the Department of Homeland Security went so far as to recommend that electric power companies establish separate cybersecurity governance boards just to manage this growing risk. Existing boards, apparently, just aren’t exercising adequate governance oversight.
What implications does this information have for private companies? First, be aware of the risk. Private businesses are actually at HIGHER risk of data security breaches since they frequently don’t have the robust systems and personnel that public companies do to help manage the risk. As we noted in our June 18 blog post, small businesses are typically less aware of their risk, which makes them even more vulnerable.
Second, EVERY business, public or private, should have a data security risk management plan. This plan is just as critical as any other crisis management plan. That’s because, of course, failure to keep customer data secure can result in legal liability, adding insult to the injury done to the business’s reputation and brand.
Third, business leaders should keep cyber security in mind throughout their strategic planning, contracting and negotiating. If you’d like help drafting or updating a data security risk management plan, please contact our Business Law Group attorney, David A. Closson at [email protected].