Cybersecurity has long been one of the main issues keeping CIOs awake at night. Now, with the number of high-profile cyberattacks seeming to increase each month, security is haunting IT leaders during the daytime, too.
Clearly, bulletproof cybersecurity is a long ways off. Perhaps it won't ever be achieved. But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company's legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance.
"The breadth of industries who need this type of counsel has exploded," says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report. "Law firms that didn't have cybersecurity are forming. General practice litigators and corporate attorney advisors will now have familiarity with cybersecurity and data privacy issues."
Because every company now has data online including personally identifiable information (PII), trade secrets and patent information Sheehan says, "There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws."
A key component of an incident response plan
Sheehan also points out that "Many companies rely on outside counsel to coordinate incident response planning and incident response, while other companies have in-house counsel play that role and bring in outside counsel when a more complicated legal issue or scenario comes up."
Because time is not a friend in any breach situation, companies that have cybersecurity attorneys on retainer are better positioned to quickly and efficiently respond to incidents.
CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, "negotiating with the government or a complicated investigation that requires more manpower" demands the expertise of a cybersecurity attorney.
JJ Thompson, chief executive officer at Rook Security concurs. "To not have a cybersecurity attorney on retainer is foolhardy at best," because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance and working with government.
Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company's response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. "The plan should be very basic and the attorney is a key part in designing the plan," Thompson says.
Sign up for Computerworld eNewsletters.