A recent surveyof public company directors and general counsel reveals that data security risk is the top legal concern among both key governance groups. According to the 12th annual Law and the Boardroom Study by Corporate Board Member and FTI Consulting, 48% of directors and 55% of general counsel noted data security as their principal legal concern, putting the issue ahead of concerns such as operational risk, company reputation, and internal controls. The survey notes that concerns about data security have become particularly urgent in recent years. 2012 marks the first time data security has topped the survey’s list, and the level of concern has nearly doubled in the past four years; in 2008, only 25% of directors and 23% of GCs noted data security as major area of risk.
Given this level of concern, it is somewhat surprising that, according to the study, fewer than half of the directors surveyed said their companies had a formal incident response plan. We have noted before the crucial importance of an incident response plan for redressing the legal and reputational risks that may arise from data security incidents. (David Fagan and I wrote a short piece for Corporate Counsel on incident response that provides some general tips on this topic.)
It’s also worth noting the Federal Trade Commission recently has suggested in a consent-decree action that failure to maintain an incident response plan could constitute an unreasonable data security practice and thereby run afoul of Section 5’s prohibition against unfair and deceptive trade practices. The Commission’s recent complaint against EPN, Inc. noted that the company “failed to provide reasonable and appropriate security for personal information on its computers and networks [by] . . . [f]or example, not hav[ing] an incident response plan.”