Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry. The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis.
The key element in preparing for a data breach is less a technical matter than a traditional evaluation of business risk. Companies regularly analyze the risks of business decisions, and just as regularly, recognize that risk analysis requires legal advice. Evaluating cybersecurity risk is no different – it requires that a company understands the risks it takes, which risks it is willing to assume as part of its business and which risks need to be eliminated or shifted (through insurance, contractual arrangements or otherwise). Understanding this, obtaining competent legal advice before a breach is a critical aspect of any cybersecurity plan.
Despite this fact, many companies focus their data protection programs in IT, and only bring in their lawyers late in the game to bless their cybersecurity measures. While legal expenses are always a concern, companies will reap a greater return on their overall cybersecurity investment by soliciting advice early on, and stand better odds a breach will be handled correctly and efficiently.
What can cybersecurity lawyers bring to the table?
Perhaps most importantly, legal counsel commonly work with a variety of corporate players and are in a unique position to work hand-in-glove with IT, HR, and other functions to assess and reduce cybersecurity risk while still permitting a company to function efficiently. An experienced lawyer is often the best person to lead a team that establishes key protocols to avoid a breach, including policies and procedures for privacy, confidentiality, mobile device usage, record retention, and breach protocol. Lawyers are particularly able to address the key elements of an effective cybersecurity plan.
Identifying the Unique: An attorney will be able to identify state, federal, and international privacy and security laws governing a particular company. All clients are different, and no one policy fits all industries or companies; indeed, far from being a one-size-fits-all exercise, privacy is often a “one-fits-one” affair. An off-the-shelf strategy carries significant risk, and cybersecurity lawyers can identify, in advance, the differences that are the key in establishing an effective cybersecurity policy. In addition, while most IT and HR professionals have worked at less than five companies, a lawyer with a large client base has helped scores of companies establish policies, and is up to date on best practices.
Confidentiality: Knowing what information requires protection is not always an easy task. While there are some bright lines, there is far more gray than black and white. Legal counsel needs to be part of the process of building a workable model. Identifying different classes of protected information and the degree of protection required is an exercise that attorneys are uniquely capable of fulfilling.
The Human Factor: Most breaches are not caused by hackers; rather, they are cases of human mistake: lost or stolen laptops, misplaced thumb drives, documents and data sent outside a secure system so an employee can work remotely, or the bad acts of insiders. The human factor is often overlooked, but it is a key means by which cybersecurity can be enhanced.
Breach Protocol: The laws governing data breaches–statutory, regulatory and those that are the result of court cases–are constantly changing. That means a company’s duties to its employees, partners, and customers are often in flux. An attorney with her or his finger on the pulse of data crisis best practices needs to be a part of the company strategy long before a breach occurs to ensure the best outcome. When there were only a handful of breach notification laws, a specialist might not be required. With different laws adopted in 47 states, as well as varying international requirements, experienced help is required.
Company Knowledge: Finally, engaging an attorney early, before a breach occurs, allows a breach to be dealt with early. Counsel that has prior knowledge of a company and its key personnel and functions can help respond to a breach more effectively and faster than a newly-engaged attorney.
Other Advantages of Involving Legal Counsel at the Outset
There are additional advantages of having a lawyer as part of your primary cybersecurity team. Key among them is allowing for privileged communications, involving a veteran of innumerable data protection strategies and breach responses, and a faster response time when a crisis occurs, as the attorney knows the company, its protocols and applicable laws. This results in lower legal costs in the event of a breach.
It Hasn’t Happened – Yet
There is a sociological theory that those who haven’t suffered an accident or crisis believe they are immune from risk, i.e., the fact they haven’t had an unfortunate event proves their superior experience and means they won’t have one. But risk and accident analysis blast that fallacy apart. We aren’t immune; our crisis just hasn’t happened yet.
A breach-free history is not an insurance policy. Data breaches are a matter of time; it’s when, not if. Companies should not be lulled into cybersecurity complacency, believing their practices and protocols inoculate them from risk. Legal counsel is the best professional to determine that risk. Furthermore, it’s important to have someone on hand who knows a company’s data and practices inside and out when the inevitable happens.
The last thing any company wants is a weekend email from IT about a breach with the subject line “Who should we call?” An established cybersecurity team that begins with experienced outside counsel is key to a sound first line of defense.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.