Corporate Legal Risk Management - Assignment Example

Corporate Legal Risk Management: Case study Effective management of legal risks within an organization inculcates the development of succinct strategies to proactively deal with legal obligations and the associated risks. The issue of appropriate legal risk management has become an ever-increasing essential component of every organization. The major aim of managing legal risks is to help businesses organizations in avoiding its operational risks turning out into legal liabilities. Legal risk management is best utilized when its objective is to highlight, evaluate and manage legal risks that are likely to affect an organization in any given way. Failure to manage any foreseeable legal risk has the potential to affect all sectors of an organization, and this becomes the concern of every shareholder, employee, and business stakeholders in the business. It is plausible that legal risk management is crucial to any organization since it can effectively remove any uncertainties in relation to business operation of the organization, thus avoiding legal liability later in the future. An effective legal risk management initiative should ensure that the company can avoid any costs that may arise due to any form of legal negligence during its operations. Background Information The law that governs obligations in corporate information security in the United States has expanded very rapidly. The latest legal requirement, introduced mainly by laws that were introduced over the last few years, is an obligation to disclose any form of security breaches that involve sensitive personal information to the individuals who are likely to be adversely affected by such kind of breaches. The emergence of these rules that impose a duty to make disclosures for such security breaches has been necessitated by a series of security breaches that started way back in 2005. Following the enactment of these statutes, more than 300 hundred companies, federal agencies, and educational institutions have made disclosures of breaches of sensitive personal information security (Stevens, 2012). These breaches have affected a cumulative total of more one hundred and fifty million individual records. The core response to these breaches has been a regulatory and legislative fury, at both federal and state level. As such, the Congress, as well as many other states, has introduced laws that require organizations to notify individuals affected security breaches that involve their sensitive personal information. Indeed, the federal banking regulatory agencies have issued their final inter-agency guidance for banking institutions regarding the new obligation to disclose any form of security breaches. At least 45 states have already enacted laws governing security breach notification, with most them having a basis on the 2003 California law (California Department of Consumer Affairs, Office of Privacy Protection, 2003). Action on any of the many pending bills is also expected at any time. Notification of a Legal Risk It has come to the attention of the legal risk manager that the institution has delayed in comply fully with the provisions of the current statutory requirements, including the duty to disclose any security breaches to the affected individuals. One of the main reasons why full complying with these obligations has been the belief among the institutions’ management that the regulations do not directly call upon the company to implement security measures. Rather, the regulations impose some form of obligation upon the company to make disclosures of any security breaches when they do occur. Upon a careful analysis by the office of the legal risk manager at this institution, it has been noted that the regulations highlighted above could have a fundamental impact on the company’s corporate security obligations. It is notable that the apparent delay in enacting full compliance with the federal regulation has been borne out of the understanding that the required disclosures could be embarrassing to this institution and serve to publicly demonstrate the institution’s lack of adequate security measures. Without such a law provision, many companies do not make public any information security breaches. In line of this, the fear of negative publicity that may arise out of such disclosures has contributed to the current failure by the company to comply with this federal obligation (Vacca, 2013). Alternatively, it has been noted that the federal requirements have only incentivized the company to seek ways of implementing better security measures that can prevent the occurrence of information security breaches. According to the Federal banking regulators, in case client notification is warranted, a company should not forego notifying its clients of such incidences, regardless of whether the company believes that it may suffer potential embarrassment or inconveniences by doing so (Stevens, 2012). It is with this legal requirement in mind that a legal risk has been identified in the company’s failure to make disclosures of the numerous security breaches that have happened in the recent past, and which may actually happen again in the future. Being a banking institution, it is important to note that the company is under legal obligation to offer security for client personal information. It is observable that the duty to disclose any breaches to the security of that personal information to the affected individuals arguably forms an essential part of that requirement. Therefore, the office of the legal risk manager finds it very important for the company to provide security in line with the Gramm-Leach-Bliley security regulations. In so doing, the benefits will by far out-do the perceived negative publicity that is anticipated to result from such disclosures. The legal risk manager has noted that several benefits expected from a compliance with these federal requirements include a significant reduction of legal risk, effective management of reputation risk, and maintenance of positive customer relations. When viewed as a group, the federal and state security breach reporting rules generally stipulate that any company in possess of computerized sensitive data about an individual should disclose any form of breach to the security of that information (Stevens, 2012). The company has recorded several breaches to the security of clients’ information in the recent few months. In the most recent case, a breach led to the exposure of sensitive information including customer user names on the company’s online platform, as well as exposure of passwords and account numbers. Even though the information technology department was swift in deterring any further encroachments on customer information by the intruders, the failure to notify the affected individuals of such breaches amounted to a breach of federal legal provisions in line with the obligation for security breaches disclosure. The failure to make disclosure could still be defended by quoting the federal interagency Guidance that stipulates that disclosures should only be made when there is sufficient prove of unauthorized acquisition of client data, and a determination by the company that such information has been misused (Stevens, 2012). However, the requirement to make a notification to the bank’s primary regulator, together with appropriate law enforcement is required within the shortest time possible after the company becomes aware of a breach in information security. The notification should be made regardless of whether any misuse of the breached information has occurred or not. The legal risk manager has noted that no kind of notification has been made to the regulator regarding the information security breaches that have occurred in the last few months. To that effect, the office of the legal risk manager remains worried that any such actions in the future are likely to predispose the company to legal liability for failure to comply with statutory requirements regarding full disclosure of security breaches. Gravity of the Legal Risk For purposes of demonstrating the magnitude of the current legal risk, the office of the legal risk manager would to like to make it clear that the federal statutes expressly provide for a private right to action, in case the individuals affected by the company’s failure to comply with the requirements sues the company for damages. Therefore, as a practical matter, the company must apply the strictest standard in all its notification procedures. For, if though it is certainly likely that a particular security breach will prompt notice obligations in line with some breach notification requirements, but not under others, the risk of availing notice to some customers, but not to others, is likely to have detrimental effects on the company’s public relations standing. This calls for careful planning in complying with the federal requirement. The way in which the company prepares for and makes a response to security breaches when they occur should be considered from a critical perspective. It should be noted that prompt action on a variety of fronts is crucial, both from a public relations, and a legal viewpoint (Smedinghoff, 2006). Guidelines for Future Compliance The legal risk manager has noted that with the current proliferation of security breach notification laws, as well as the resulting obligation to disclose breaches, there is a premium on initiating steps, beforehand, to eliminate or reduce the risk of having to make these disclosures. Perhaps the simplest step is this context is to lower the amount of notice-triggering information that the institution collects and maintains. This must begin with a review of data collection practices, both top note where sensitive personal information is stored, and to evaluate whether such information is really required by the company. Even if it is indeed needed, the institution must devise an accurate comprehension and inventory of the sensitive information that it collects and where such information is stored. The bottom line is to identify the accurately manage notice-triggering information, and where not needed, eliminate its collection and subsequent storage. The next process is to ensure that succinct security measures are initiated to protect sensitive personal information that the company collects and stores. To the length that appropriate security can avoid prevent breaches, and hence avoid the need to make the disclosures, it will be worth the effort. Moreover, this kind of security will be likely a legal obligation in any eventuality. Therefore, the company should ensure that it effectively addresses compliance with its legal obligation to provide security to the personal information of its customers. It is also important to note the fact that the security breach notification laws apply only to the unauthorized exposure of unencrypted personal data. Therefore, to the limit reasonably feasible, encryption of all personal information will help in avoiding the need to make the embarrassing information disclosures. Despite the level of information security implemented, breaches may remain inevitable in the future. Therefore, it is necessary to acknowledge that, as a part of an inclusive security program, the institution will need to develop and implement well thought out and legally compliant incident response mechanisms. The plan must ensure that appropriate officers within the company are promptly notified of any security breaches, and that necessary and immediate action is initiated both in responding to the breach, and in terms of notifying the individuals who may be affected by the breach. The plan must also clearly determine how the institution will ensure compliance with the varying requirements of the applicable security breach notification requirements. The best guideline that will ensure future compliance with the federal statutory requirements concerning notification of security breaches must encompass the following: 1. Designate an individual responsible for coordinating incident responses 2. Identification of participants in the incident response activities, including their roles, and full time contact information 3. The adoption of procedures to ensure timely internal notification of the responsible persons when any breaches are detected 4. Enact procedures to manage, control, and address any security breach incidents 5. Implement procedures for prompt notification of law enforcement, regulators, and the public relations department. Finally, it is notable that the development of an incident response plan will give the organization great flexibility in the procedures that can be utilized in notifying the customers affected by any future breaches. Specifically, most states currently allow organizations to implement their own alternate statutory notification requirements. Thus, as long as the company maintains its notification procedures, and given that these notification procedures correlate with the timing requirements of the breach notification statute, the company will be deemed to be in full compliance with the law requirements. It is notable that failures to comply with statutory requirements that govern the notification of security breaches constitute a serious violation of legal provisions, and this poses a grave legal risk to banking institutions. The statutory requirements are mainly established with an aim of protecting the personal information that institutions may have regarding their clients. The disclosure of any breach to the security of such information forms an important part of maintaining the integrity of the information, and making sure that individuals remain confident that any personal information that they provide to institutions is held with utmost confidentiality. Therefore, effective management of legal risks arising from failure to notify customers of any breach to their sensitive information within an organization must involve the development of succinct strategies to proactively deal with legal obligations and the associated risks. Failure to enact measures of dealing with such legal risks might dispose an organization to costly legal liability in the future. References California Department of Consumer Affairs, Office of Privacy Protection, (2003). Recommended Practices on Notification of Security Breach Involving Personal Information. Retrieved 05 September 2014 from www.privacy.ca.gov/recommendations/secbreach.pdf Smedinghoff, T., (2006). Security Breach Notification Law: Defining a New Corporate Obligation. The Bureau of National Affairs, 3 (2) 11-16 Stevens, G., (2012). Data Security Breach Notification Laws. Congressional Research Service. Retrieved 05 September 2014 from www.crs.gov. Vacca, J., (2013). Managing Information Security. New York: Elsevier. Read More