By Rob Hegedus, Sera-Brynn CEO
A disturbing trend is developing in the corporate world and unfortunately it’s only going to get worse: Breached companies are not the victims. They are the villains.
High profile businesses and organizations, to include publicly traded companies, hospital networks and top non-profits, are no longer viewed as the victim following a data breach. They are more often vilified for any number of reasons, including the perception of not being prepared, not notifying their customers soon enough, not taking the threat seriously … and the list goes on.
I’ve observed this trend and it hit home recently when I was invited to the Department of Treasury to discuss cybersecurity best practices and future trends within the financial services sector. Surrounded by industry powerhouses, it was humbling being the only cybersecurity company present.
The event was co-sponsored by the American Bar Association and the role of the general counsel in supporting the overall cybersecurity posture of the United States’ financial services industry was an important discussion point, which I’ll expand on in a bit.
My impression from this meeting, and based on our close working relationship with other government entities, is that the executive agencies consider cybersecurity a national security priority. I applaud their efforts, such as this one, to bring in their private sector counterparts to jointly tackle the issue and work together toward the best solutions for the American public.
Sera-Brynn works very closely with the legal community and my participation at the Treasury Department further underscored that focus for us. It also highlighted the trend I’ve noticed of vilifying victims of data breaches.
The proof is in the reaction following a data breach. Rather than garnering sympathy, breached organizations instead become media targets and defendants in government or industry enforcement actions, or both.
The mid-market is not immune. While the general response to a mid-sized business being breached is one of apathy, that too is being slowly replaced by vilification. Data breaches are entering the realm of factory fires and mine collapses — after the incident, the commercial and regulatory establishment will be looking for someone to blame. And punish. And woe to you if you didn’t meet industry compliance requirements or “best practices.”
As a certified auditor, Sera-Brynn’s focus is preparing our clients for the inevitable data breach (yes, it’s inevitable) by helping them meet compliance or cybersecurity “best practices” in order to avoid claims of negligence, civil liabilities and shareholder or customer-driven lawsuits.
More importantly, third-party review of cybersecurity posture and compliance standards can significantly reduce the likelihood of a catastrophic data breach, which protects the business and the business’ customers.
In our role as an incident response and forensics firm, Sera-Brynn provides an independent and objective third-party investigation that also protects our clients by not only insuring the integrity of the response, but by also creating a defensible record if challenged later by regulators or class action lawyers.
However, as auditors and forensics specialists we still only play a small role in a much larger effort. That effort must be “quarterbacked” by general counsel. This is why we work so closely with our counterparts in the legal community.
In addition to incident triage and data breach response, our clients must deal with regulatory notification, law enforcement liaison, white-collar defense, e-discovery, litigation, insurance activation and much more. This is the domain of the general counsel.
By the way, did you know 47 states all have different notification requirements? Does your business have customers in more than one state?
Sera-Brynn’s position is that the incident response capabilities and practices within law firms today are similar to where the Foreign Corrupt Practices Act practice area was about 10 years ago. Incident response practice areas are the fastest-growing areas in the legal community and we are committed to continuing to be an important part of that evolution to ensure the best protection possible for our clients.
Doing everything you can to protect your business and your customers’ information sometimes isn’t enough. Insurance plays a very important role in transferring some of that risk, but the response mechanism is getting so complex that smart companies are realizing that general counsel must play a more important role in their overall cyber risk management and response strategy.