Cybersecurity risk is evolving and expanding. Traditionally, cybersecurity risk has been equated with cyber attacks and associated legal consequences. That risk is undoubtedly real: All internet connected systems remain vulnerable to increasingly sophisticated, persistent threat actors, including nation states and well-funded criminal organizations, who can circumvent even robust defenses to intrude into systems and expose companies to a wide variety of regulatory investigations and litigation. But companies increasingly face cybersecurity legal risk even absent a data breach. Emerging theories of liability – largely arising from inconsistencies between representations companies make about their cybersecurity and their actual cybersecurity posture – are presenting new, substantial civil and potentially criminal legal exposures for companies.
In the first installment of a multi-part JONES DAY TALKS® series, partners Lisa Ropple, Justin Herdman, and Grayson Yeargin discuss today’s rapidly growing and changing cybersecurity requirements, and the potential legal consequences of not meeting those obligations.