Distinguishing the technical experts from those responsible for legal obligations and risks will help companies develop better breach response plans. Understanding the role of an external cybersecurity firm will only help. Credit: Thinkstock Cybersecurity has long been one of the main issues keeping CIOs awake at night. Now, with the number of high-profile cyberattacks seeming to increase each month, security is haunting IT leaders during the daytime, too. Clearly, bulletproof cybersecurity is a long ways off. Perhaps it won’t ever be achieved. But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company’s legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance. “The breadth of industries who need this type of counsel has exploded,” says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report. “Law firms that didn’t have cybersecurity are forming. General practice litigators and corporate attorney advisors will now have familiarity with cybersecurity and data privacy issues.” Because every company now has data online – including personally identifiable information (PII), trade secrets and patent information – Sheehan says, “There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws.” A key component of an incident response plan Sheehan also points out that “Many companies rely on outside counsel to coordinate incident response planning and incident response, while other companies have in-house counsel play that role and bring in outside counsel when a more complicated legal issue or scenario comes up.” Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents. [Related: Corporate culture hinders cyber insurance buy-in] CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, “negotiating with the government or a complicated investigation that requires more manpower” demands the expertise of a cybersecurity attorney. JJ Thompson, chief executive officer at Rook Security concurs. “To not have a cybersecurity attorney on retainer is foolhardy at best,” because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance and working with government. Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company’s response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. “The plan should be very basic and the attorney is a key part in designing the plan,” Thompson says. The age of immediate litigation? The old adage, “proper preparation prevents poor performance,” resonates when it comes to breaches and complying with privacy regulations. Additional risks exist around response time in the aftermath of a breach. According to Sheehan, “You’ll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common – it’s filed immediately after a breach, and counsel is involved in mitigating litigation risks.” Companies and organizations ranging from Target to Sally Beauty Supply to Sony to the U.S. Office of Personnel Management (OPM) have seen their reputations tarnished by major breaches. And the class action lawsuits that followed shifted the courts’ perception of harm, which in turn changed the established interpretation of the law and gave rise to the field of cybersecurity law. In their paper, “Cybersecurity and Privacy Enforcement: A Roundup of 2014 Cases,” Francis J. Burke, Jr. and Steven M. Millendorf, CIPP/US, noted, “In 2011, the Sony PlayStation Network (PSN) suffered a data breach that exposed personal identifiable information for millions of Sony’s customers.” Even though Sony took the network offline, they failed to notify their customers of the breach. The court ruled, “The plaintiffs had plausibly alleged a credible threat of harm based on the disclosure of their personal information following the attack.” [Related: Cyber extortion: A growth industry] Burke Jr. and Millendorf also wrote about the shareholder derivative cases in the Target breach. “The complaints further allege that these failures severely damaged the company, and note that the company is under investigation by the United States Secret Service and the Department of Justice as well as the growing multitude of class action lawsuits against the company.” Are hacked companies victims, or complicit? “The government is going to look at how prepared you are to detect intrusion. Do you register attacks? Do you encrypt data? Most companies have outward-facing policy to the public, but if you are not being preventative, you’re ignoring the issue and you subject yourself to being hacked,” says Mark Harrington, general counsel at Guidance Software, which develops and provides software solutions for digital investigations. Harrington points out that how a company is prepared and how they handle a breach is of tantamount importance, legally speaking. “The government is giving favor to companies that are well-prepared and willing to cooperate.” Harrington suggests, “If you don’t have the internal expertise, you should find an expert law firm, educate yourself or find a vendor.” “Not all data is equal. How is being collected? How is it being stored? Discarded? Those who guard data have been viewed as criminals when they got hacked, and that’s not fair,” says Harrington. As the standards for cybersecurity continue to be established, perspectives have changed. “Now, if you had your act together and still got hacked, we’re going to treat you as a victim,” insists Harrington. Cybersecurity attorneys are experts in incident response, and, as Thompson says, “Counsel and public relations should run the incident. IT provides them with the information to make decisions, but in reality, 99 percent of incident response and forensics is run through IT, not counsel.” The risk in IT running the incident response is that they are not versed in the policies and procedures of custodianship of data. If their budgets present limitations, in-house attorneys who are informed on cybersecurity laws can play similar roles in response planning. According to Sheehan, “If there is no in-house counsel, they should examine their budget to prioritize having outside counsel, which will save money in the big picture by decreasing the impact of breach and litigation expenses.” Related content brandpost Sponsored by Palo Alto Networks Operational technology systems require a robust Zero Trust strategy in 2024 Zero Trust provides a foundation for creating a stronger security posture in 2024. By Navneet Singh, vice president of marketing, network security, Palo Alto Networks Dec 05, 2023 6 mins Security brandpost Sponsored by AWS in collaboration with IBM How digital twin technology is changing complex industrial processes forever As the use cases for digital twins proliferate, it is becoming clear that data-driven enterprises with a track record of innovation stand the best chance of success. By Laura McEwan Dec 05, 2023 4 mins Digital Transformation brandpost Sponsored by AWS in collaboration with IBM Why modernising applications needs to be a ‘must’ for businesses seeking growth Around one-third of enterprises are spending heavily on application modernisation and aiming for cloud native status. The implications for corporate culture, structure and priorities will be profound. By Laura McEwan Dec 05, 2023 5 mins Digital Transformation opinion 11 ways to reduce your IT costs now Reorienting IT’s budget toward future opportunities is a big reason why CIOs should review their IT portfolios with an eye toward curbing unnecessary spending and realizing maximum value from every IT investment. By Stephanie Overby Dec 05, 2023 11 mins Budget Cloud Management IT Governance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe