The Heart Bleed Bug: 10 questions you should ask your CIO

The zeros and ones (computer code) that zips about corporate IT systems not only represent modern business’ greatest assets, but also their greatest risks. Most legal teams are not aware that a large proportion of their relevance in the future will be defined by their ability to protect and grow corporate information’s value.

The recent press about OpenSSL’s Heartbleed Bug – which has put most of the worlds websites at risk – is a timely trigger for legal functions to increase their vigilance of IT related risks.

A study by IT research firm Gartner suggests that corporate information is growing at up to 60% a year. Even more concerning, an increasing proportion of this data is generated outside of the firewall—on BYO devices, social media, and in the cloud for example.

When you combine this growing importance of corporate information, expansion of corporate data with the ongoing regulatory tsunami over the use of information, the outcome can be career long migraine for legal functions.

Not surprisingly a recent survey suggests that 85% of U.S. GCs rate technology-related risks as ‘important’ to ‘very important’ in the year ahead.

Sadly, technophobia means too few legal teams will have the capacity, capability or the interest required to provide adequate assurance of this risk. Historically, legal investments in information risk have been all tip and no iceberg – primarily focused on IT procurement.

When did Noah build the Ark? ...BEFORE the flood.

To help legal teams stay ahead of this looming challenge, here are the top 10 questions every GC should ask their CIO:

1. Do we understand the implications of the Heart Bleed Bug on our business – given our data privacy obligations?
2. Where are our primary data centres based? What are the implications for these domiciles—and information stored in the cloud—from key regulations, such as the U.S. Patriot Act?
3. Does IT plan to introduce new enterprise programs this year?
4. Do we have a policy for the use of social media by employees?
5. What records retention issues does unstructured data present?
6. Do we need to introduce further compliance training for the use of emerging technologies?
7. What measures have we adopted to ensure that third parties do not overpromise or misrepresent their security?
8. Does the company’s data security roadmap incorporate recently updated and enforced data-privacy regulations into long-term program objectives?
9. Have we got a cross-functional (e.g. Corporate Coms, Compliance, IT, Legal) contingency plan prepared in the advent of a data privacy breach?
10. What are the greatest information risks that the legal function should be aware of?

Like most risks, technology-related risks are not legal’s responsibility to own. However, we do have a duty to identify them and ensure the business has adequate controls in place. It’s like the age-old question: ‘when did Noah build the Ark?’

...BEFORE the flood.

Interested in this space? Take a look at our technology radar, which illustrates the legal implications, of some of the greatest opportunities & threats from IT.