Developing plans to protect your digital information and network while complying with state and federal regulations can be a legal challenge for any corporation. Is relying on in-house counsel enough, or should companies have a cybersecurity attorney on retainer?
In-house counsel remains imperative for corporations, particularly for financial institutions, banks, and the healthcare industry. Corporate attorneys are learning more about the cyber security laws, but the number of industries who need cybersecurity attorneys has increased in the last five to 10 years.
Cybersecurity law firms provide services from data breach to cybercrime, compliance with local privacy laws, security policies, record management, digital media privacy, litigation and more. While internal counsel remains an integral part of corporate wellness, partnering with external counsel with security expertise could help to minimize damage.
Having the consultation of a cybersecurity attorney while developing an incident response plan is instrumental. Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.
"A decade ago there was not enough demand in the field of cyber security law to build a practice around it," said JJ Thompson, chief executive officer at Rook Security. Today, entire practices are flourishing in the field of cyber security law. Cybersecurity attorneys play a greater role now than they did five to 10 years ago because they have more specific and more informed expertise than general litigators.
Thompson noted, "To not have a cybersecurity attorney on retainer is foolhardy at best," because organizations need somebody who is a specialist in what Thompson identified as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance, and working with government.
Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences among a possible incident, an incident, or a breach will drive the company's response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. Thompson said, "The plan should be very basic and the attorney is a key part in designing the plan."
Cybersecurity attorneys are experts in incident response, and Thompson said, "Counsel and public relations should run the incident. IT provides them with the information to make decisions, but in reality 99% of incident response and forensics is run through IT not counsel." The risk in IT running the incident response is that they are not versed in the policies and procedures of custodianship of data.
Thompson also talked about personnel policies. If a private employee who used cloud leaves or is termination, what is the organization's termination responsibility? Cybersecurity attorneys are also instrumental in working with the government for subpoenas so that organizations can maintain privilege and be in compliance with the law.
[ RELATED: What to do when an employee leaves the company ]
Mark Harrington, general counsel at Guidance Software, said, "How a company is prepared and how they handle a breach is important. The government is giving favor to companies that are well prepared and willing to cooperate." Harrington suggested, "If you don't have the internal expertise, you should find an expert law firm, educate yourself, or find a vendor."
"Not all data is equal. How is it being collected? How is it being stored? Discarded? Those who guard data have been viewed as criminals when they got hacked, and that's not fair," said Harrington. As the standards for cybersecurity continue to be established, perspectives have changed. Harrington said, "Now, if you had your act together and still got hacked, we're going to treat you as a victim."
The old adage, "proper preparation prevents poor performance," resonates when it comes to breaches and complying with privacy regulations.
"The government is going to look at how prepared you are to detect intrusion. Do you register attacks? Do you encrypt data? Most companies have outward facing policy to the public, but the FTC looks at policy as deceptive. If you are not being preventative, you're ignoring the issue and you subject yourself to being hacked," said Harrington.
Can an organization prepare for a breach without the aid of a cybersecurity attorney?
DJ Vogel, partner at Sikich's security and compliance practice, advised, "Determining whether to have a cybersecurity attorney should be based off of a company's risk assessment, which will inform what level of involvement they need from outside sources."
Because cybersecurity attorneys will have expertise that corporate attorneys may not have, Vogel said, "You should at least have a relationship with a cybersecurity lawyer." Well versed in breach notification laws specific to disclosures, cybersecurity attorneys work in conjunction with forensic investigators and public relations to frame incidents in the best light.
"Security and legal share very similar mission," said Sean Cordero, director in the office of the CISO at Accuvant. One area of overlap, Cordero said, is the cloud. "One of the most opportune things that has happened for cybersecurity is the cloud. When you're moving into the cloud, you're inevitably relying on external controls. The only way to maintain control is through contract language," Cordero said.
Another area of concern for Cordero is policy development within a security group. "When you have IT and security personnel with no legal training trying to develop policy, you have the potential to inadvertently expose the organization to harm." Companies need somebody who is a specialist.
Though much of the disclosure language is similar from state to state, the implementation might be different. Cordero spoke of the differences between Iowa and California and the specific laws around notification in a breach. "An organization must have, when dealing with any kind of interstate or international regulation, they need to have legal expertise," Cordero said.
Though the expertise of a cybersecurity attorney is a great benefit to some organizations, companies must consider their individual needs. A key consideration is in risk assessment. "If a smaller organization has limited sensitive data, it may not need a cybersecurity attorney on retainer, but larger name organizations with [service-level agreement] attached to it are definitely seeing more and more lawyers," said Vogel.
"The bottom line," said Cordero, "is that when companies are dealing with data, they should have available to them someone with the legal expertise they need. Security professionals are experts at coordinating response, but appropriate handling of information in accordance with the law demands an outside attorney."
Being informed and knowing when to call upon the expertise of an outside attorney is a critical step in security. "Knowing industry technology standards is quite different from being able to interpret the law," Cordero said. Having a cybersecurity attorney on retainer means, "not exposing your organization to additional risk that could result in collateral damage," Cordero said.