Just wrote my first guest column for Compliance Week, entitled, “Preparing Your Board for Cyber-Security Oversight.” As I point out in the column:
Unfortunately, the public’s view of cyber-attack victims is less about understanding and sympathy, and more about anger and vilification. Given in particular the 47 or so separate state privacy regimes, together with a growing range of federal agency jurisdiction, instead of accepting a helping hand, cyber-attack victims are instead accepting service of process of multiple subpoenas. The world of incident response is an upside-down one: Rather than being treated like criminal victims, companies experiencing data breaches are often treated like criminals themselves, becoming defendants in federal and state enforcement actions, class actions, and other proceedings.
To make matters worse, this is just the beginning of a new era of data breach and incident response, where trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year. Members of corporate boards therefore have no choice but to become actively involved in ensuring the organizations they oversee are adequately addressing cyber-security, approaching the subject much the same way an audit committee probes a company’s financial statements and reports: with vigorous, skeptical, intelligent, and methodical inquiry.