Do you need a cybersecurity attorney on retainer?

Developing plans to protect your digital information and network while complying with state and federal regulations can be a legal challenge for any corporation. Is relying on in-house counsel enough, or should companies have a cybersecurity attorney on retainer?

In-house counsel remains imperative for corporations, particularly for financial institutions, banks, and the healthcare industry. Corporate attorneys are learning more about the cyber security laws, but the number of industries who need cybersecurity attorneys has increased in the last five to 10 years.

Cybersecurity law firms provide services from data breach to cybercrime, compliance with local privacy laws, security policies, record management, digital media privacy, litigation and more. While internal counsel remains an integral part of corporate wellness, partnering with external counsel with security expertise could help to minimize damage.

[ ALSO ON CSO: When a data breach hits, enterprises turn to outside firms to pick up the pieces ]

Having the consultation of a cybersecurity attorney while developing an incident response plan is instrumental. Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.

"A decade ago there was not enough demand in the field of cyber security law to build a practice around it," said JJ Thompson, chief executive officer at Rook Security. Today, entire practices are flourishing in the field of cyber security law. Cybersecurity attorneys play a greater role now than they did five to 10 years ago because they have more specific and more informed expertise than general litigators.

Thompson noted, "To not have a cybersecurity attorney on retainer is foolhardy at best," because organizations need somebody who is a specialist in what Thompson identified as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance, and working with government.

Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences among a possible incident, an incident, or a breach will drive the company's response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. Thompson said, "The plan should be very basic and the attorney is a key part in designing the plan."

Cybersecurity attorneys are experts in incident response, and Thompson said, "Counsel and public relations should run the incident. IT provides them with the information to make decisions, but in reality 99% of incident response and forensics is run through IT not counsel." The risk in IT running the incident response is that they are not versed in the policies and procedures of custodianship of data.

Thompson also talked about personnel policies. If a private employee who used cloud leaves or is termination, what is the organization's termination responsibility? Cybersecurity attorneys are also instrumental in working with the government for subpoenas so that organizations can maintain privilege and be in compliance with the law.

[ RELATED: What to do when an employee leaves the company ]

Mark Harrington, general counsel at Guidance Software, said, "How a company is prepared and how they handle a breach is important. The government is giving favor to companies that are well prepared and willing to cooperate." Harrington suggested, "If you don't have the internal expertise, you should find an expert law firm, educate yourself, or find a vendor."

"Not all data is equal. How is it being collected? How is it being stored? Discarded? Those who guard data have been viewed as criminals when they got hacked, and that's not fair," said Harrington. As the standards for cybersecurity continue to be established, perspectives have changed. Harrington said, "Now, if you had your act together and still got hacked, we're going to treat you as a victim."

The old adage, "proper preparation prevents poor performance," resonates when it comes to breaches and complying with privacy regulations.

"The government is going to look at how prepared you are to detect intrusion. Do you register attacks? Do you encrypt data? Most companies have outward facing policy to the public, but the FTC looks at policy as deceptive. If you are not being preventative, you're ignoring the issue and you subject yourself to being hacked," said Harrington.

Can an organization prepare for a breach without the aid of a cybersecurity attorney?

DJ Vogel, partner at Sikich's security and compliance practice, advised, "Determining whether to have a cybersecurity attorney should be based off of a company's risk assessment, which will inform what level of involvement they need from outside sources."

Because cybersecurity attorneys will have expertise that corporate attorneys may not have, Vogel said, "You should at least have a relationship with a cybersecurity lawyer." Well versed in breach notification laws specific to disclosures, cybersecurity attorneys work in conjunction with forensic investigators and public relations to frame incidents in the best light.

"Security and legal share very similar mission," said Sean Cordero, director in the office of the CISO at Accuvant. One area of overlap, Cordero said, is the cloud. "One of the most opportune things that has happened for cybersecurity is the cloud. When you're moving into the cloud, you're inevitably relying on external controls. The only way to maintain control is through contract language," Cordero said.

Another area of concern for Cordero is policy development within a security group. "When you have IT and security personnel with no legal training trying to develop policy, you have the potential to inadvertently expose the organization to harm." Companies need somebody who is a specialist.

Though much of the disclosure language is similar from state to state, the implementation might be different. Cordero spoke of the differences between Iowa and California and the specific laws around notification in a breach. "An organization must have, when dealing with any kind of interstate or international regulation, they need to have legal expertise," Cordero said.

Though the expertise of a cybersecurity attorney is a great benefit to some organizations, companies must consider their individual needs. A key consideration is in risk assessment. "If a smaller organization has limited sensitive data, it may not need a cybersecurity attorney on retainer, but larger name organizations with [service-level agreement] attached to it are definitely seeing more and more lawyers," said Vogel.

"The bottom line," said Cordero, "is that when companies are dealing with data, they should have available to them someone with the legal expertise they need. Security professionals are experts at coordinating response, but appropriate handling of information in accordance with the law demands an outside attorney."

Being informed and knowing when to call upon the expertise of an outside attorney is a critical step in security. "Knowing industry technology standards is quite different from being able to interpret the law," Cordero said. Having a cybersecurity attorney on retainer means, "not exposing your organization to additional risk that could result in collateral damage," Cordero said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security industrysecuritybecaCSO

More about CounselCSOFTCGuidance Software

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place