Cyber security is a topic that should be discussed at board level. Board members have to actively ask strategic questions, such as: Do we have an incident response and crisis management plan? Do we encourage the bring-your-own-device trend? Do we forbid the access to personal webmail or web storage sites on office computers? Are we using cloud computing service providers, and if so, what did we do to determine that they are reliable and well-respected in the market? If board members don’t ask thoughtful questions and stay actively involved on this critical issue, they run the risk of becoming personally liable.
To handle data in a globalized world is challenging, and we highly recommend that companies are proactive, have a strategy and take reasonable steps to protect themselves, by inter alia conducting a risk assessment of your business. This includes reviewing your technical infrastructure and familiarize yourself with your legal risks. Navigating data is an issue that needs board attention. everything from IP protections to your obligations under data privacy and employment law. Directors may be personally liable. So you want to be prepared.
Freshfields Partner Klaus Beucher, who advises multinationals on cyber security issues, says there is a set of steps that companies must take to protect themselves. ‘Firstly, conduct a thorough risk assessment of your business. Map your data so you know where it is and what you’re doing with it. Don’t just look at your technical infrastructure, review your legal risks as well. Look at everything from IP protections to your obligations under data privacy and employment law. ‘Then, ensure you have effective data governance policies in place. Finally you should draw up a crisis plan and practise it. All of this should be done in partnership with the board.’ Tim Harkness adds: ‘Directors have personal risk, particularly in the US. Good governance is therefore vital and boards need to decide who is responsible for data security.’