Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Corporate Counsel Connect collection

February 2013 Edition

C-suite strategies: Data incident risks and five steps to manage them

Bill Hardin, Director in the Disputes and Investigations Practice at Navigant

Bill HardinAn organization's competitive advantage is being transformed by the information that it collects. This information is used by every facet of the organization from hiring to product/service expansion strategy. Within the C-Suite, the CFO uses information for strategy and forecasting, while the General Counsel uses it to manage risk throughout the organization. Due to the expansive use, information management is becoming the power source of the organization.

The value of the organization's information is extensive; however, the consequences of this information being compromised can have the reverse effect as the organization may experience brand dilution, market-share loss, and/or regulatory actions.

Data breaches ReportIn the last four years, over 1,900 data breaches occurred with a 60% increase from 2011 to 2012 as noted in the chart at right.

Data breaches can be instigated internally or externally. Internal breaches can occur from lost laptops to disgruntled workers, while external breaches can happen by trusted third parties to external attacks by hackers. This threat has vaulted to a top 5 risk for the C-Suite in 2013 and the regulators have taken notice.

The regulators are coming

Data protection and privacy is a lightning rod for regulatory agencies as they have increased enforcement efforts as well as created new laws. Recently, the state of California started a privacy unit to enforce both state and federal privacy laws. Additionally, the Securities and Exchange Commission provided guidelines on when companies should disclose cyberattacks. So far, at least six companies (e.g., Google) disclosed cyberattacks through investor reports. With the numerous national, industry, and local regulations in place, the organization can spend significant time and effort with compliance and monitoring efforts.

Five steps to limit data incident impact

To limit the impact of a data incident and provide assurances to the appropriate regulatory agencies that the regulations are being complied with, the C-Suite can deploy the following five steps:


Step One: Perform a risk assessment of captured information
The risk assessment provides an understanding of the information captured, storage location(s), and IT security measures in place.


Step Two: Implement a data-governance framework
The framework gives structure and guidance with respect to the captured information. Many frameworks include sections pertaining to data classification, data minimization, data destruction, and forensic techniques for analysis and auditing.


Step Three: Develop and operationalize an incident response plan
The organization needs to be prepared when a data incident occurs. A well-crafted response plan provides a roadmap as well as the incident-response team to operationalize the response plan once an event occurs. The team should consist of internal as well as external parties ranging from counsel and forensic consultants to public relationship firms.


Step Four: Review insurance coverage
The economic impact of a data incident can be sizeable and insurance coverage specific to these risks is available to protect against the economic consequences. From business interruptions to class-action lawsuits, having the proper insurance coverage can transfer the company's monetary risk when an event occurs.


Step Five: Conduct training on a regular basis for all employees and vendors
Employees are an organization's greatest asset or sometimes the biggest threat. As data security is the responsibility of everyone in an organization, every employee from clerk to CEO needs to understand the sensitivity of information management and the risks that the organization are exposed to when a data incident occurs.

Moving forward

It is not a question of if, but when an organization will experience a data incident. Hence, the organization needs to be prepared as the news media, regulatory agencies, and shareholders all have different agendas, which can provide lasting disruptions to an organization. By executing the five steps outlined above, the C-Suite can mitigate the risk of a data incident.

About the author

Bill Hardin is a Director in the Disputes and Investigations practice at Navigant. He has advised audit committees, boards, counsel, and management in numerous matters ranging from forensic accounting to turnaround management. He has performed many data incident response and theft of trade secret engagements. Bill is a CPA/CFF, CFE, PMP, and has an MBA from the University of Chicago Booth School of Business. He is a frequent speaker on financial and litigation risks. He serves on the board of directors for Illinois Legal Aid OnLine and acts on behalf of the Turnaround Management Association to provide pro-bono services to financially distressed clients.