Pub. 5 2017 Issue 4

www.uba.org 8 If You’re Worried About Cybersecurity, Call an Attorney E ach year brings a data breach that affects more and more people; each breach also brings larger fines for companies who failed to protect information. In an effort to evade regulatory fines and consumer wrath, companies have tried to address cybersecurity risks with varying results. Mean- while, the $120 billion cybersecurity industry—eager to sow fear, uncertainty, and doubt—pushes an array of products to address cybersecurity risks both real and imagined. Instead of purchasing gizmos, executive leadership should rely on legal counsel to help define their legal risks and draft poli- cies and procedures minimizing identified risks. At first glance, it may seem odd to solve cybersecurity prob- lems with lawyers, but regulators don’t care if a company spends thousands of dollars on cutting-edge cybersecurity technology. Regulators analyze whether the circumstances leading to a data breach violate state, national, or interna- tional law. Accordingly, companies should understand their legal obligations to minimize their cybersecurity risks. By engaging legal counsel, companies can understand their legal obligations in the cybersecurity arena and draft poli- cies addressing identified risks. Cybersecur it y lega l obl igat ions f low f rom cor porate leadership’s fiduciary duty of care; state, national, and international law; and contractual obligations. Executives and board members owe a fiduciary duty of care to the companies they serve. Failing to carry out those duties can impose personal—and potentially uninsurable— lawsuits against executives and board members. Under the duty of care, executives and board members must act on an informed basis, in good faith, and in the honest belief that their actions are in their company’s best interests. This means executives and board members must act reason- ably when they assess information so they can protect the interests of shareholders. The duty of care also requires executives and board members to address reasonable risks to By Tomu Johnson and Tammy Georgelas, Parsons Behle & Latimer