The Best Defense: If you're worried about cybersecurity, call an attorney.

• Author: Johnson, Tsustomu
• Position: Legal Brief

Each year brings a data breach that affects more and more people; each breach also brings larger fines for companies who failed to protect information. Companies have tried to address cybersecurity risks with varying results. Meanwhile, the $120 billion cybersecurity industry pushes an array of products to address cybersecurity risks both real and imagined. Instead of purchasing gizmos, executive leadership should rely on legal counsel to help define their legal risks and draft policies and procedures to minimize those risks.

Regulatory environment

At first glance, it may seem odd to solve cybersecurity problems with lawyers, but regulators don't care if a company spends thousands of dollars on cutting-edge cybersecurity technology. Regulators analyze whether the circumstances leading to a data breach violate state, national or international law. Accordingly, cybersecurity is a legal problem that stems from a fiduciary duty of care; numerous state, national and international laws; and contractual obligations.

Executives and board members owe a fiduciary duty of care to the companies they serve. Failing to carry out those duties can impose personal--and potentially uninsurable--lawsuits. Under the duty of care, executives and board members must act on an informed basis, in good faith and in the honest belief that their actions are in their company's best interests. Executives and board members cannot ignore cybersecurity problems; instead, they must act reasonably so they can protect shareholders' interests.

State, national and international laws increasingly regulate how companies process information. On the state level, 48 states have data breach notification laws. Most of those laws simply explain how to notify individuals affected by a data breach while others go further. Utah, for example, requires "any person who conducts business in the state ... [to] implement and maintain reasonable procedures to: prevent unlawful use or disclosure of personal information ..." In other words, operating without appropriate policies and procedures runs the risk of violating the law.

In the federal regulatory environment, organizations who work in industries such as healthcare, banking, insurance, finance, education and telecommunications face a plethora of cybersecurity obligations. For example, in the healthcare environment, federal law requires healthcare entities to implement specific privacy and security policies. Failing to do so can incur...