Why no Organization Should be without a Cyber Attorney
- Regulatory & Compliance
- 3 Mins
Cybersecurity is a top concern for organizations of all shapes and sizes. Whether it be a global organization or a small business, each will inevitably collect and store consumer data that hackers could attempt to steal. While significant events like product launches, mergers and acquisitions, and new vendor partnerships are prime opportunities for attacks, risk still exists in daily operations. Think about the data stored by human resources departments for potential, past, and current employees. Or other data pertinent to daily operations for many businesses like GPS tracking, healthcare patient information, and financial transactions. The fact of the matter is that every organization interacts with data on the daily and likely uses an electronic system to store this information. Because of this, organizations in any industry should consider retaining outside counsel specializing in cybersecurity or hire a staff attorney practicing in this area. The relationship can be scaled according to organization size and specific security needs to stay within budget while still improving security practices to protect sensitive data.
Here are some important reasons why every organization should consider hiring a cyber attorney:
- Attorney-client privilege: The foundation of an organization’s relationship with any type of counsel is trust – both in the substance of advice given and the assurances of confidentiality. When dealing with cybersecurity matters, being able to tap into legal expertise offers several advantages. First, in the event of a breach having counsel on speed dial will help tremendously with mitigation. This allows an organization to gather quick advice about notification obligations and other compliance requirements. Being proactive and establishing this relationship prior to an incident will streamline remediation efforts and limit the risk of fallout, as response protocols will already be outlined and tested. Chances are that your cybersecurity counsel will have retained tech experts to assist with matters like security program implementation and breach response. This means that not only will your attorney’s advice be privileged, but there is also an argument that any directives from the third-party tech expert can also be cloaked under this privilege. In the event of litigation resulting from an incident, this is a major protection.
Although an organization may want to assert privilege to shield or lessen liability, looking from the other perspective disclosure can be beneficial during litigation or regulatory review. Being transparent about the security procedures and updates deployed may help exhibit compliance, and any technical consultant that the attorney used could testify to illustrate that an organization uses industry-standard practices.
- Expanded legal knowledge and industry connections: Most cyber attorneys have a diverse background and skills in areas like litigation, incident response, technology management and implementation, business operations, internal and vendor risk assessment, contracts, mergers, insurance, privacy, and government. When choosing a cyber attorney, it is important to consider their backgrounds and prioritize which skills would be most helpful in meeting your objectives. For example, an organization encountering regulatory investigations would benefit from an attorney with knowledge in government, mergers, and/or privacy. If the goal is to create a comprehensive incident response program, valuable skills would include risk assessment, incident response planning, and/or technology management. Overall, implementing strong security practices will foster compliance and decrease risk surrounding cyber-attacks.
Additionally, a cyber attorney will also bring their networking to the table which will be valuable to the organization. This includes connections with regulators, agencies, technology experts, vendors, and more. Being able to tap into these resources will be beneficial when making security decisions like negotiating a technology or vendor agreement, creating internal compliance frameworks, or formulating a litigation readiness plan. A cyber attorney can also offer a level of objectivity to provide an unbiased evaluation about an organization’s security practices or incident response.
"Securing incident response expert services through the cyber attorney is one way to draw a clean line between services provided in support of the business and services rendered in preparation for potential litigation which you need to uphold privilege. Blurring these lines and potentially losing privilege can make or break you if lawsuits are introduced in the aftermath of an attack." – Jerich Beason
Having consistent counsel to contact about cybersecurity issues — whether on-site or with outside counsel — will help ensure that an organization’s infrastructure, policies, and practices promote data protection. This is important pre-incident in the planning phase to the post-incident response phase to combat threats and expedite remediation efforts. Some small areas to consider focusing on initially include website privacy policies, penetration testing, data mapping, compliance evaluations, and employee trainings. When consulting with outside counsel, it is crucial to articulate why the organization wants to bring them in and discuss the benefits of forming an ongoing relationship. Some important information to outline includes organization structure, sensitive data sources, current security practices and policies, vendor partnerships, past security review data (if any), regulatory obligations, contractual covenants, and risk evaluation methodology. Then, there can be a conversation around where gaps exist and how to close them. The role of the cyber attorney can be ongoing if desired, not only to help with things like breach response or regulatory investigations but also to continuously inform on cyber risks as new technologies or threats emerge over the years.
"There are few advancements in business that don’t include technology and there are few technologies that don’t introduce cybersecurity risks. My internal and external counsel ensure I am aware of the regulatory and legal implications should one of those risks become realized. They are a key partner to our success in cybersecurity and as an organization." – Jerich Beason
To learn more, please click here to listen to our latest podcast on this topic.