You are here: Home Resources Samples Corporate Legal Risk Management: Case study

Corporate Legal Risk Management: Case study

Effective management of legal risks within an organization inculcates the development of succinct strategies to proactively deal with legal obligations and the associated risks. The issue of appropriate legal risk management has become an ever increasing essential component of every organization. The major aim of managing legal risks is to help businesses organizations in avoiding its operational risks turning out into legal liabilities. Legal risk management isbest utilized when its objective is to highlight, evaluate and manage legal risks that are likely to affect an organization in any given way. Failure to manage any foreseeable legal risk has the potential to affect all sectors of an organization, and this becomes the concern of every shareholder, employee, and business stakeholders in the business. It is plausible that legal risk management is crucial to any organization since it can effectively remove any uncertainties in relation to business operation ofan organization, thus avoiding legal liability later in the future. An effective legal risk management initiative should ensure that the company can avoid any costs that may arise due to any form of legal negligence during its operations.


Background Information

        The law that governs obligations in corporate information security in the United States has expanded very rapidly. The latest legal requirement, introduced mainly by laws that were introduced over the last few years, is the obligation to disclose any form of security breaches that involve sensitive personal information to the individuals who are likely to be adversely affected by such kind of breaches. The emergence of these rules that impose a duty to make disclosures for such security breaches has been necessitated by a series of security breaches that started way back in 2005. Following the enactment of these statutes, more than 300 hundred companies, federal agencies, and educational institutions have made disclosures of breaches of sensitive personal information security (Stevens 2012). These breaches have affected a cumulative total of more one hundred and fifty million individual records. The core response to these breaches has been a regulatory and legislative fury, at both federal and state level. As such, the Congress, as well as many other states, has introduced laws that require organizations to notify individuals affected security breaches that involve their sensitive personal information. Indeed, the federal banking regulatory agencies have issued their final inter-agency guidance for banking institutions regarding the new obligation to disclose any form of security breaches. At least 45 states have already enacted laws governing security breach notification, with most them having a basis on the 2003 California law (California Department of Consumer Affairs, Office of Privacy Protection 2003). Action on any of the many pending bills is also expected at any time.

Notification of a Legal Risk

        It has come to the attention of the legal risk manager that the institution has delayed in comply fully with the provisions of the current statutory requirements, including the duty to disclose any security breaches to the affected individuals. One of the main reasons why full compliance with these obligations has been the belief among the institutions’ management that the regulations do not directly call upon the company to implement security measures. Rather, the regulations impose some form of obligation upon the company to make disclosures of any security breaches when they do occur. Upon a careful analysis by the office of the legal risk manager at this institution, it has been noted that the regulations highlighted above could have a fundamental impact on the company’s corporate security obligations. It is notable that the apparent delay in enacting full compliance with the federal regulation has been borne out of the understanding that the required disclosures could be embarrassing to this institution and serve to publicly demonstrate the institution’s lack of adequate security measures.  Without such a law provision, many companies do not make public any information security breaches. In line of this, the fear of negative publicity that may arise out of such disclosures has contributed to the current failure by the company to comply with this federal obligation (Vacca 2013). Alternatively, it has been noted that the federal requirements have only incentivized the company to seek ways of implementing better security measures that can prevent the occurrence of information security breaches.

        According to the Federal banking regulators, in case client notification is warranted, a company should not forego notifying its clients of such incidences, regardless of whether the company believes that it may suffer potential embarrassment or inconveniences by doing so (Stevens 2012). It is with this legal requirement in mind that a legal risk has been identified in the company’s failure to make disclosures of the numerous security breaches that have happened in the recent past, and which may actually happen again in the future. Being a banking institution, it is important to note that the company is under legal obligation to offer security for client personal information. It is observable that the duty to disclose any breaches to the security of that personal information to the affected individuals arguably forms an essential part of that requirement. Therefore, the office of the legal risk manager finds it very important for the company to provide security in line with the Gramm-Leach-Bliley security regulations. In so doing, the benefits will by far out-do the perceived negative publicity that is anticipated to result from such disclosures. The legal risk manager has noted that several benefits expected from a compliance with these federal requirements include significant reduction of legal risk, effective management of reputation risk, and maintenance of positive customer relations.

        When viewed as a group, the federal and state security breach reporting rules generally stipulate that any company in possess of computerized sensitive data about an individual should disclose any form of breach to the security of that information (Stevens 2012).  The company has recorded several breaches to the security of clients’ information in the recent few months. In a most recent case, there was a breach of sensitive information that led to the exposure of sensitive information including customer user names on the company’s online platform, as well as exposure of passwords and account numbers. Even though the information technology department was swift in deterring any further encroachments on customer information by the intruders, the failure to notify the affected individuals of such breaches amounted to a breach of federal legal provisions in line with the obligation for security breaches disclosure. The failure to make disclosure could still be defended by quoting the federal interagency Guidance that stipulates  that disclosures should only be made when there is sufficient prove of unauthorized acquisition of client data, and a determination by the company that such information has been misused (Stevens 2012).  However, the requirement to make a notification to the bank’s primary regulator, together with appropriate law enforcement is required within the shortest time possible after the company becomes aware of a breach in information security. The notification should be made regardless of whether any misuse of the breached information has occurred or not. The legal risk manager has noted that no kind of notification has been made to the regulator regarding the information security breaches that have occurred in the last few months. To that effect, the office of the legal risk manager remains worried that any such actions in the future are likely to predispose the company to legal liability for failure to comply with statutory requirements regarding full disclosure of security breaches.

Gravity of the Legal Risk

        For purposes of demonstrating the magnitude of the current legal risk, the office of the legal risk manager would to like to make it clear that the federal statutes expressly provide for a private right to action, in case the individuals affected by the company’s failure to comply with the requirements sues the company for damages. Therefore, as a practical matter, the company must apply the strictest standard in all its notification procedures. For, if though it is certainly likely that a particular security breach will prompt notice obligations in line with some breach notification requirements, but not under others, the risk of availing notice to some customers, but not to others, is likely to have detrimental effects on the company’s public relations standing. This calls for careful planning in complying with the federal requirement. The way in which the company prepares for and makes a response to security breaches when they occur should be considered from a critical perspective. It should be noted that prompt action on a variety of fronts is crucial, both from a public relations, and a legal viewpoint (Smedinghoff 2006).


Make sure you dont miss interesting happenings by joining our newsletter program.

Contact us

Talk to us today. Use the contact provided below

  • Hot line: +1-3155576175

Connect with us

We're on Social Networks. Follow us & get in touch.
You are here: Home Resources Samples Corporate Legal Risk Management: Case study