How the C-Suite Should Talk About Cybersecurity

Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices — or lack thereof. This series provides high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations.

Series Overview

What is Cybersecurity?
This article explains how executives should understand cybersecurity by distinguishing it from privacy and data security, emphasizing the need for clear definitions and the importance of protecting systems, networks, and information amid growing regulatory and shareholder scrutiny.
View article

Liabilities after a Data Breach
This article outlines the legal exposure companies face after a breach, including state breach‑notification laws, potential regulatory enforcement, and FTC actions under Section 5, helping executives understand the broad range of post‑incident risks.
View article

Attorney-client Privilege and Work Product Doctrine
This article discusses how companies can preserve confidentiality when using external cybersecurity consultants, explaining why consultant work is not inherently privileged and how involving legal counsel can better protect sensitive investigative materials.
View article

Explaining the NIST Framework
This article introduces the NIST Cybersecurity Framework’s five core functions—Identify, Protect, Detect, Respond, Recover—and explains why executives should incorporate the framework’s standards into companywide cybersecurity risk management.
View article

State Laws and Breach Notification Requirements
This article explains how executives should evaluate their breach notification obligations across 47 different U.S. state laws, noting that requirements vary and that multi‑state companies may need to comply with many different legal regimes after a breach.
View article

Data Breach and Security Vulnerability Reporting Obligations to Shareholders and the SEC
This article details when publicly traded companies must disclose cybersecurity risks or incidents under SEC rules—emphasizing materiality, risk‑factor disclosures, and the influence of SEC guidance on reporting expectations.
View article

Lawsuits stemming from Data Breaches
This article reviews the types of lawsuits companies face after a breach—especially class actions involving large numbers of affected individuals—and explains how these suits can impose far greater financial liability than traditional individual claims.
View article

Examining insurance coverage for data breaches
This article clarifies why companies should not assume their general liability insurance covers breach‑related costs and explains how policy language, exclusions, and insurer interpretations can leave executives uncertain about coverage after an incident.
View article