CIO

Why every CIO needs a cybersecurity attorney

Distinguishing the technical experts from those responsible for legal obligations helps companies develop better breach response plans.

Cybersecurity has long been one of the main issues keeping CIOs awake at night. Now, with the number of high-profile cyberattacks seeming to increase each month, security is haunting IT leaders during the daytime, too.

Clearly, bulletproof cybersecurity is a long ways off. Perhaps it won't ever be achieved. But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company's legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance.

"The breadth of industries who need this type of counsel has exploded," says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report. "Law firms that didn't have cybersecurity are forming. General practice litigators and corporate attorney advisors will now have familiarity with cybersecurity and data privacy issues."

Because every company now has data online including personally identifiable information (PII), trade secrets and patent information Sheehan says, "There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws."

A key component of an incident response plan

Sheehan also points out that "Many companies rely on outside counsel to coordinate incident response planning and incident response, while other companies have in-house counsel play that role and bring in outside counsel when a more complicated legal issue or scenario comes up."

Because time is not a friend in any breach situation, companies that have cybersecurity attorneys on retainer are better positioned to quickly and efficiently respond to incidents.

[Related: Corporate culture hinders cyber insurance buy-in]

CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, "negotiating with the government or a complicated investigation that requires more manpower" demands the expertise of a cybersecurity attorney.

JJ Thompson, chief executive officer at Rook Security concurs. "To not have a cybersecurity attorney on retainer is foolhardy at best," because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern:  breach scenarios, personnel policies, cyber liability insurance and working with government.

Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company's response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. "The plan should be very basic and the attorney is a key part in designing the plan," Thompson says.

The age of immediate litigation?

The old adage, "proper preparation prevents poor performance," resonates when it comes to breaches and complying with privacy regulations.

Additional risks exist around response time in the aftermath of a breach. According to Sheehan, "You'll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common it's filed immediately after a breach, and counsel is involved in mitigating litigation risks."

Companies and organizations ranging from Target to Sally Beauty Supply to Sony to the U.S. Office of Personnel Management (OPM) have seen their reputations tarnished by major breaches. And the class action lawsuits that followed shifted the courts' perception of harm, which in turn changed the established interpretation of the law and gave rise to the field of cybersecurity law.

In their paper, "Cybersecurity and Privacy Enforcement: A Roundup of 2014 Cases," Francis J. Burke, Jr. and Steven M. Millendorf, CIPP/US, noted, "In 2011, the Sony PlayStation Network (PSN) suffered a data breach that exposed personal identifiable information for millions of Sony's customers." Even though Sony took the network offline, they failed to notify their customers of the breach. The court ruled, "The plaintiffs had plausibly alleged a credible threat of harm based on the disclosure of their personal information following the attack."

[Related: Cyber extortion: A growth industry]

Burke Jr. and Millendorf also wrote about the shareholder derivative cases in the Target breach. "The complaints further allege that these failures severely damaged the company, and note that the company is under investigation by the United States Secret Service and the Department of Justice as well as the growing multitude of class action lawsuits against the company."

Are hacked companies victims, or complicit?

"The government is going to look at how prepared you are to detect intrusion. Do you register attacks?  Do you encrypt data? Most companies have outward-facing policy to the public, but if you are not being preventative, you're ignoring the issue and you subject yourself to being hacked," says Mark Harrington, general counsel at Guidance Software, which develops and provides software solutions for digital investigations.

Harrington points out that how a company is prepared and how they handle a breach is of tantamount importance, legally speaking. "The government is giving favor to companies that are well-prepared and willing to cooperate."  Harrington suggests, "If you don't have the internal expertise, you should find an expert law firm, educate yourself or find a vendor."

"Not all data is equal. How is it being collected?  How is it being stored?  Discarded?  Those who guard data have been viewed as criminals when they got hacked, and that's not fair," says Harrington. As the standards for cybersecurity continue to be established, perspectives have changed. "Now, if you had your act together and still got hacked, we're going to treat you as a victim," insists Harrington.

Cybersecurity attorneys are experts in incident response, and, as Thompson says, "Counsel and public relations should run the incident. IT provides them with the information to make decisions, but in reality, 99 percent of incident response and forensics is run through IT, not counsel." The risk in IT running the incident response is that they are not versed in the policies and procedures of custodianship of data.

If their budgets present limitations, in-house attorneys who are informed on cybersecurity laws can play similar roles in response planning. According to Sheehan, "If there is no in-house counsel, they should examine their budget to prioritize having outside counsel, which will save money in the big picture by decreasing the impact of breach and litigation expenses."