Information Governance to Prevent and Minimize the Impact of Cyber Attacks
From left to right: Meaghan K. FitzGerald, Drew M. Hicks, Joseph M. Callow Jr., Jacob D. Rhode, Stephanie M. Scott
Photography by Catie Viox
Cybersecurity is not just an issue for the IT people. It needs to be a holistic, corporate-wide effort that requires synergy between multiple disciplines – sales, HR, operations, the C-suite and others. All businesses need a cybersecurity plan that includes employee training and understanding where data is stored and how it’s managed. The bottom line: it’s not if you will be hacked, but when.
Those are the key points that Joseph M. Callow, Jr. makes to his clients these days in any cybersecurity 101 presentation. Callow, a Litigation Partner at Keating Muething & Klekamp, helped start the law firm’s Cybersecurity & Privacy group, an inter-disciplinary team of attorneys involved in reviewing current processes, testing their soundness, and building better plans with clients.
Callow says the KMK team takes a “soup-to-nuts” approach focusing on the critical need to have information governance to prevent and minimize the impact of cyber attacks.
“It’s a tough issue to tackle because it takes time, resources and a commitment to go through your documents and information – electronic files and hard copy files – and figure just where your data is,” Callow says. “You have to be dedicated to training your people, looking at who has access to the servers and determining if there is data on computers no one is using, but is accessible for some reason.”
Obviously, cybersecurity has become a top concern in boardrooms and C-suites with the headline-grabbing hacks of Equifax, Target, Home Depot, Sony and others. But Callow notes that companies, public and private, will need to continue to review and evolve their policies as new regulations emerge. For instance, in May the General Data Protection Regulation (GDPR) will require new data protection practices for any company that has even one European citizen in their database, and failure to do so could result in massive fines.
Callow believes public companies are quickly moving to set up cyber security policies, but smaller companies have been slower to respond. “It’s one of those things on their to-do list and kind of stays on their list. And you don’t want it to rise to the top because of a cyber emergency.”
Callow points out to smaller business clients that a cybersecurity plan does not have to be expensive, nor does it necessarily require some big technological change. “There are a lot of cybersecurity safeguards that are cheap and effective and can minimize exposure and damage, such as basic employee training and education.”
For example, Callow says almost half of cyber breaches are the result of employee conduct, mostly unintentional. Employees may inadvertently respond to a phishing email, or an unprotected device is stolen. “You can control how employees access data and proper training can minimize risk,” he says.
The “good” news is that security experts think that many cyber events are non-malicious, often done by the quirky hacktivist community. “There is an awful lot of hacking just for the sake of hacking. It’s done for sport by these people.”
Of course, the problem is, it’s hard to know whether a data breach is intended as “sport,” or is malevolent. When one does occur, it’s critica to have a plan in place as to how it should be handled. That includes involving a cyber legal team to handle a post-attack world.
“Things happen quickly when there is a breach. You are dealing with the press, employees, your customers and trying to keep your business afloat,” Callow says. “Our KMK team can help you manage the crisis immediately, and it’s important to get us involved so you can have privileged communications.”
KMK has been on the leading edge of cybersecurity, one of few law firms in the region who have assembled a multidisciplinary team dedicated to the issue. It can bring extensive litigation experience, the ability to coordinate on insurance policies and a strategy for recouping losses. Its attorneys speak and write often on the subject. KMK also holds an annual cybersecurity and privacy seminar, which will be taking place April 18 at the Hilton Cincinnati Netherland Plaza.
Callow acknowledges the pendulum is swinging in favor of plaintiffs in data breach cases. But he says there are possible defenses to liability if a business can show comprehensive plans were in place and reasonable steps had been taken against cyber attacks. “It’s almost impossible to prevent them from ever happening, but we can show clients how to minimize risk and their exposure.”
Keating Muething & Klekamp is located at One East Fourth Street, Suite 1400, Cincinnati, OH 45202. For more information, call 513.579.6400, email firstname.lastname@example.org or visit www.kmklaw.com