A recent survey of corporate general counsel and directors by Corporate Board Member and FTI Consulting, Inc., provides some eye-opening findings about the importance of data security to U.S. companies and the ability of those companies to respond to a data breach.
On the one hand, the survey of approximately 13,400 corporate directors and general counsel found that data security was the top legal risk concern for both groups. 48% of corporate directors and 55% of general counsel identified data security as their top concern. This level of concern about data security has doubled in the last four years. In 2008, only 25% of directors and 23% of general counsel noted data security as an area of high concern. The survey explains, “there is arguably no more insidious threat to a public company than that of cyber risk; it’s invisible, ever-changing, and pervasive—making it very difficult for boards to manage. On top of that, it’s costly.”
Despite the increasingly high level of concern about data security, however, there is significant reason to believe that companies are not prepared to respond to a data breach. For example, one-third of general counsel respondents stated that their boards are not effective at managing cyber risk. Similarly, only 42% of directors said their company has a formal, written crisis management plan to manage a cyber breach or attack should one occur (27% said their company had no plan and 31% did not know whether their company even had a plan). Yet 77% of directors and general counsel believe their company is prepared to detect a cyber attack.
In other words, a disconnect exists between the significance corporate entities are placing on data security and their lack of preparedness to respond to the risks associated with data security. T.K. Kerstetter, President of Corporate Board Member believes that the disconnect between the lack of written plans and the perception of preparedness is cause for concern, and certainly an area to monitor in the years ahead. Mr. Kerstetter stated (and I could not agree more) that “it is going to take several well-publicized security breaches before a supermajority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster.”
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.