Do You Know Where Your Company’s Data Is?

Headlines about massive data breaches at major corporations have become commonplace. What’s striking about these high-profile hacks is that many of the affected companies were spending millions on cybersecurity measures when the breach occurred. They had gone to great lengths to prepare for the worst, only to have it happen anyway. Target, Bank of America and AT&T have all suffered serious breaches that originated with a third-party service provider. No matter how robust the defenses protecting your own network are, if your data resides with a third party, protection will depend on their technology, processes and employees.

Legal departments should collaborate with their chief information security officers and security teams to drive internal policy and draft strong third-party vendor contracts. The information security team must be able to access third-party infrastructure and employee practices. Policies and strict enforcement of secure third-party vendor relationships should apply not only to the vendors themselves, but also to your own employees and their interactions with the vendors.

Regulation of the practices required to protect sensitive data are increasingly stringent, and the legal profession is acknowledging technological competence as an ethical obligation that applies to anyone practicing law. The standard of care with regard to the protection of private information is rising, and ignorance is no longer an acceptable defense in the wake of a poorly managed cyberattack. Boards have begun to take notice, in part because the members are potentially liable as individuals.