Law Practice Management and Technology
The Bottom Line Volume 34, No.2, August 2013
- MCLE Self-Study Article: the Advanced Persistent Attack and What Your Law Firm Should Do
- Book Review By Larry Meyer
- Coach's Corner: Technology, Competence and Risk in Data Security and Privacy
- MCLE Self-Study Article: Addressing Social Media Security and Privacy Challenges
- MCLE Self-Study Article: Data Security Breach Notification Laws: How They Affect Your Law Firm and Your Clients
- MCLE Self-Study Article: "Naked Online", an Excerpt from the Book "Protecting Your Internet Security"
- MCLE Self-Study Article: the Attorney as Employer: the Law Regarding Employee Privacy in Social Media Posts
- MCLE Self-Study Article: Using Client Portals to Protect Your Clients’ Privacy
- MCLE Self-Study Article: What Is Privacy in the Information Age?
- Message from the Chair: Privacy at Risk
- Message from the Guest Editor: Protecting Privacy in Your Law Practice
- MCLE Self-Study Article: Cybersecurity -- a Top of Mind Issue That Companies Must Consider
MCLE Self-Study Article: Cybersecurity — A Top of Mind Issue That Companies Must Consider
By Andrew Serwin, Esq.
Cybersecurity for any business, including a law firm is a critical issue for a variety of reasons. And for companies who you may represent, there is increasing focus by the SEC on this issue. The Division of Corporate Finance released guidance on cybersecurity and the potential reporting implications of cyber incidents.1 Noting the increasing role of digital technologies, the Division noted that the risks associated with cybersecurity have also increased. These risks include DDOS attacks, theft of intellectual property, economic espionage, the disruption of business operations, and other concerns. These risks can result in exorbitant costs and other negative consequences for your firm and your clients, including:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
- Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
- Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
- Litigation; and
- Reputational damage adversely affecting client, customer or investor confidence.
In light of these risks, the Division of Corporate Finance recommended certain cybersecurity disclosures for companies that are subject to its regulatory sweep, though it noted that there are no express cybersecurity disclosure requirements currently in place. One of the issues that the Division identified was disclosures for cyber issues under the risk factor disclosure. Consistent with the requirements of S-K Item 503(c), the Division believed that cybersecurity disclosures could be appropriate if there were material risks to the company, and the disclosure should include: