Distinguishing the technical experts from those responsible for legal obligations and risks will help companies develop better breach response plans. Understanding the role of an external cybersecurity firm will only help. Credit: Thinkstock Cybersecurity has long been one of the main issues keeping CIOs awake at night. Now, with the number of high-profile cyberattacks seeming to increase each month, security is haunting IT leaders during the daytime, too. Clearly, bulletproof cybersecurity is a long ways off. Perhaps it won’t ever be achieved. But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company’s legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance. “The breadth of industries who need this type of counsel has exploded,” says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report. “Law firms that didn’t have cybersecurity are forming. General practice litigators and corporate attorney advisors will now have familiarity with cybersecurity and data privacy issues.” Because every company now has data online – including personally identifiable information (PII), trade secrets and patent information – Sheehan says, “There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws.” A key component of an incident response plan Sheehan also points out that “Many companies rely on outside counsel to coordinate incident response planning and incident response, while other companies have in-house counsel play that role and bring in outside counsel when a more complicated legal issue or scenario comes up.” Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents. [Related: Corporate culture hinders cyber insurance buy-in] CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, “negotiating with the government or a complicated investigation that requires more manpower” demands the expertise of a cybersecurity attorney. JJ Thompson, chief executive officer at Rook Security concurs. “To not have a cybersecurity attorney on retainer is foolhardy at best,” because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance and working with government. Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company’s response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. “The plan should be very basic and the attorney is a key part in designing the plan,” Thompson says. The age of immediate litigation? The old adage, “proper preparation prevents poor performance,” resonates when it comes to breaches and complying with privacy regulations. Additional risks exist around response time in the aftermath of a breach. According to Sheehan, “You’ll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common – it’s filed immediately after a breach, and counsel is involved in mitigating litigation risks.” Companies and organizations ranging from Target to Sally Beauty Supply to Sony to the U.S. Office of Personnel Management (OPM) have seen their reputations tarnished by major breaches. And the class action lawsuits that followed shifted the courts’ perception of harm, which in turn changed the established interpretation of the law and gave rise to the field of cybersecurity law. In their paper, “Cybersecurity and Privacy Enforcement: A Roundup of 2014 Cases,” Francis J. Burke, Jr. and Steven M. Millendorf, CIPP/US, noted, “In 2011, the Sony PlayStation Network (PSN) suffered a data breach that exposed personal identifiable information for millions of Sony’s customers.” Even though Sony took the network offline, they failed to notify their customers of the breach. The court ruled, “The plaintiffs had plausibly alleged a credible threat of harm based on the disclosure of their personal information following the attack.” [Related: Cyber extortion: A growth industry] Burke Jr. and Millendorf also wrote about the shareholder derivative cases in the Target breach. “The complaints further allege that these failures severely damaged the company, and note that the company is under investigation by the United States Secret Service and the Department of Justice as well as the growing multitude of class action lawsuits against the company.” Are hacked companies victims, or complicit? “The government is going to look at how prepared you are to detect intrusion. Do you register attacks? Do you encrypt data? Most companies have outward-facing policy to the public, but if you are not being preventative, you’re ignoring the issue and you subject yourself to being hacked,” says Mark Harrington, general counsel at Guidance Software, which develops and provides software solutions for digital investigations. Harrington points out that how a company is prepared and how they handle a breach is of tantamount importance, legally speaking. “The government is giving favor to companies that are well-prepared and willing to cooperate.” Harrington suggests, “If you don’t have the internal expertise, you should find an expert law firm, educate yourself or find a vendor.” “Not all data is equal. How is being collected? How is it being stored? Discarded? Those who guard data have been viewed as criminals when they got hacked, and that’s not fair,” says Harrington. As the standards for cybersecurity continue to be established, perspectives have changed. “Now, if you had your act together and still got hacked, we’re going to treat you as a victim,” insists Harrington. Cybersecurity attorneys are experts in incident response, and, as Thompson says, “Counsel and public relations should run the incident. IT provides them with the information to make decisions, but in reality, 99 percent of incident response and forensics is run through IT, not counsel.” The risk in IT running the incident response is that they are not versed in the policies and procedures of custodianship of data. If their budgets present limitations, in-house attorneys who are informed on cybersecurity laws can play similar roles in response planning. According to Sheehan, “If there is no in-house counsel, they should examine their budget to prioritize having outside counsel, which will save money in the big picture by decreasing the impact of breach and litigation expenses.” Related content feature Expedia poised to take flight with generative AI CTO Rathi Murthy sees the online travel service’s vast troves of data and AI expertise fueling a two-pronged transformation strategy aimed at growing the company by bringing more of the travel industry online. By Paula Rooney Jun 02, 2023 7 mins Travel and Hospitality Industry Digital Transformation Artificial Intelligence case study Deoleo doubles down on sustainability through digital transformation The Spanish multinational olive oil processing company is immersed in a digital transformation journey to achieve operational efficiency and contribute to the company's sustainability strategy. By Nuria Cordon Jun 02, 2023 6 mins CIO Supply Chain Digital Transformation brandpost Resilient data backup and recovery is critical to enterprise success As global data volumes rise, business must prioritize their resiliency strategies. By Neal Weinberg Jun 01, 2023 4 mins Security brandpost Democratizing HPC with multicloud to accelerate engineering innovations Cloud for HPC is facilitating broader access to high performance computing and accelerating innovations and opportunities for all types of organizations. By Tanya O'Hara Jun 01, 2023 6 mins Multi Cloud Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe