Developing plans to protect your digital information and network while complying with state and federal regulations can be a legal challenge for any corporation. Is relying on in-house counsel enough, or should companies have a cybersecurity attorney on retainer?
In-house counsel remains imperative for corporations, particularly for financial institutions, banks, and the healthcare industry. Corporate attorneys are learning more about the cyber security laws, but the number of industries who need cybersecurity attorneys has increased in the last five to 10 years.
Cybersecurity law firms provide services from data breach to cybercrime, compliance with local privacy laws, security policies, record management, digital media privacy, litigation and more. While internal counsel remains an integral part of corporate wellness, partnering with external counsel with security expertise could help to minimize damage.
Having the consultation of a cybersecurity attorney while developing an incident response plan is instrumental. Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.
"A decade ago there was not enough demand in the field of cyber security law to build a practice around it," said JJ Thompson, chief executive officer at Rook Security. Today, entire practices are flourishing in the field of cyber security law. Cybersecurity attorneys play a greater role now than they did five to 10 years ago because they have more specific and more informed expertise than general litigators.
Thompson noted, "To not have a cybersecurity attorney on retainer is foolhardy at best," because organizations need somebody who is a specialist in what Thompson identified as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance, and working with government.
Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences among a possible incident, an incident, or a breach will drive the company's response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. Thompson said, "The plan should be very basic and the attorney is a key part in designing the plan."
Cybersecurity attorneys are experts in incident response, and Thompson said, "Counsel and public relations should run the incident. IT provides them with the information to make decisions, but in reality 99 percent of incident response and forensics is run through IT not counsel." The risk in IT running the incident response is that they are not versed in the policies and procedures of custodianship of data.
Thompson also talked about personnel policies. If a private employee who used cloud leaves or is termination, what is the organization's termination responsibility? Cybersecurity attorneys are also instrumental in working with the government for subpoenas so that organizations can maintain privilege and be in compliance with the law.
Sign up for CIO Asia eNewsletters.