Lawyers Get Schooled on Cyber Threats
Since the Target data breach was made public during the holiday season in 2013, 140 lawsuits have been filed against the retailer. Those include three class-action suits and individual suits from banks and shareholders. In addition, there are ongoing investigations by the Federal Trade Commission, the Securities and Exchange Commission (SEC), and numerous other state and federal agencies.
A federal judge has already given preliminary approval for Target to move towards settling the consolidated class-action suit, but the remaining suits will continue to play out in the court system for months, if not years, feeding the market for cyber law services.
And Target is not alone. Home Depot is facing a slew of lawsuits following a data breach. Sony is facing litigation after employees’ personal identifying information was made public in a massive cyberattack last fall. Premera Blue Cross also got in legal trouble when customer data was made public following a corporate hack of the health insurance provider.
This troubling trend makes it clear that before hiring an in-house lawyer or contracting with outside counsel, companies must ensure that the attorneys are cyber savvy. According to a recent report, however, many lawyers still lack technical knowledge when it comes to this subject.
Legal Status Quo
Data security is the second most important issue for general counsel, following regulatory compliance, according to The Emergence of Cybersecurity Law by Hanover Research for the Indiana University Maurer School of Law.
Yet, when asked to rate their preparedness to meet cyber threats, legal departments surveyed for the Hanover report gave themselves a 6.57 on a 10-point scale, with only 40 percent giving a rating of 8 or above.
“Although this indicates moderate confidence in the general counsels’ preparedness, it also shows that law departments could be doing more to reach full preparedness for preventing and containing cybersecurity breaches,” the report said.
Part of the problem is that most of the departments surveyed for Hanover’s research have no staff dedicated to cybersecurity in any capacity, with only 23.5 percent reporting that they have full-time staff devoted to the issue.
One survey respondent said that boards and senior management tend to view cybersecurity as a cost center; with a focus on financial performance. They prefer to devote resources to “sales, marketing, and [other] activities that grow revenue,” according to the report.
This could be a problem, as legal departments are starting to play a bigger role in corporate cybersecurity, with nearly 70 percent of corporate law departments surveyed saying they are proactively involved.
“What we found in the survey was that firms are increasingly trying to proactively include general counsel and legal officers” in cybersecurity, says Daniel Thomas, content director at Hanover Research who oversaw the report.
The report found that it’s becoming “increasingly common” for companies to involve legal counsel in cybersecurity. “This trend is attributable, in part, to increased regulatory pressure on companies to prepare for cyber incidents and to disclose cyber risks and data breaches to consumers.”
Additionally, lawyers’ involvement in corporate cybersecurity has increased because of data breaches and privacy. “The question has largely shifted from whether lawyers should be involved in a company’s cybersecurity efforts to when lawyers should become involved,” according to the report. “Lawyers are best suited to apply relevant laws to the facts and circumstances of the company, assess compliance, and inform decision-making for companies’ cybersecurity efforts as they relate to the law.”
A Collaborative Approach
Companies are now recognizing that while IT staff can safeguard data, they may not be aware of the regulatory requirements associated with safeguarding that data. One expert interviewed for the Hanover report said that company IT and risk management staff often lack “hard stops” for knowing when a cybersecurity matter should be elevated to legal counsel.
“Often IT and risk management staff believe that they can handle the legal aspects of cybersecurity, but the better question is: should they be handling it?” the expert asked. General counsel needs to be brought in to assess the procedures, training, and risk assessments involved in cybersecurity response plans. This is especially crucial for publicly traded companies, which are subject to regulations under the SEC for reporting breaches to shareholders.
In this role, lawyers are also becoming part of a broader cybersecurity team, which the report suggests should include legal, IT, management, and financial experts to create a “collaborative partnership” among several supporting units. “Working in coordination with IT professionals and other parts of the corporation, lawyers must play a role in designing the procedures, training, and risk assessments required to implement managerial, operational, and technical controls needed to protect data,” the report advises.
This coordination comes together in a necessary holistic approach to managing cyber threats, Thomas says. “Companies as a whole need to have a broader strategy in which they’re assessing at regular meetings between legal staff and technical staff…keeping each other apprised of developments in the field.”
But before those meetings take place, companies need to ensure that their general counsel understands cybersecurity law and how that law affects the company as a whole.
Lawyers are never going to have the same level of technical knowledge about cybersecurity as IT staff. Instead, Thomas explains that lawyers “should be able to have a conversation which is well informed, which they’re able to pick out what is a really key point and what is a reasonable threat that they should be looking out for.”
But like many professionals, lawyers and IT personnel have their own jargon- filled language, and when they attempt to communicate, things can quickly get muddy. “What we often find, and we find this in every setting…they can’t even have the conversation,” says Fred Cate, senior fellow at the Center for Applied Cybersecurity Research at the Indiana University Maurer School of Law.
This can result in crucial information getting lost in translation as C-suites begin to expect general counsel to communicate the potential cybersecurity liability risks to executives and to IT. “If [lawyers] are going to be effective, they’re going to have to have some basic understanding of technology and the ability to talk with technologists intelligently,” Cate explains.
And Hanover’s study agrees. According to its findings, more than two-thirds of the lawyers surveyed rated improved cybersecurity training as “very” or “extremely” important. Yet only one-third of respondents said they were “very familiar” with the topic of cybersecurity. “As one respondent put it, cybersecurity may be less of a concern for some law departments ‘probably because we do not know enough about it,’” according to the report.
This might be because there is no accepted way for lawyers to learn about cybersecurity, instead relying on various options, Thomas says. These options include newsletters, specialized conferences on cyber law and cybersecurity, the SEC website, and resources from the American Bar Association (ABA).
But taking a class in cybersecurity or acquiring formal education in cybersecurity “didn’t necessarily seem to be a stand out way that practicing attorneys are finding out about this area of education,” he adds.
Because of the findings and lawyers’ continuing education requirement to remain in good standing with a state bar, law schools may begin offering noncredit or credit education for lawyers on cybersecurity, Thomas says. One example of this is a program that Cate is attempting to create at the Maurer School that will offer graduate certificates for four-course packages in information security and information privacy. Students will be able to take the classes online and enroll on a rolling admission basis.
Other courses are designed for professionals “who don’t want to take three years of their lives to go to law school, but can nevertheless get a pretty good, solid introduction into the areas,” Cate explains. “And those are offered online, so [students] don’t have to uproot themselves for six months.”
Cate is still working on getting final approval for the courses, which target students with or without legal training; security and privacy professionals who might want to know more about the relevant legal issues; and professionals interested in making the move to security or privacy.
“We have built the certificates with modules that can be added as necessary based on the student’s background,” Cate says. “For example, we have an introduction to computing systems and technologies course for people with no technology experience. Similarly, we have an introduction to U.S. law that would be available to students without prior legal experience.”
The ABA has also increased efforts to educate its approximately 40,000 members about cybersecurity. In 2012, ABA President Laurel Bellows created the association’s Cybersecurity Legal Task Force to identify and compile resources within the ABA that pertain to cybersecurity.
The task force has also held workshops, presented conferences, and crafted publications, including The ABA Cybersecurity Handbook, which provides practical cyber threat information and strategies for lawyers and firms.
Another publication, A Playbook for Cyber Events, is a guide for legal and cybersecurity professionals on the relationship between legal, operating, and technical issues required for successful cyber response. The ABA task force plans to release its new publication, A Call to Cyber Norms, this year.
“The task force has been extremely successful—we’ve been able to galvanize the ABA to focus on this particular issue of cyber,” says Harvey Rishikof, cochair of the task force. “And I think the ABA as an entity is recognizing and beginning to focus on this as one of the great challenges and opportunities of this profession.”
Along with educating existing members of their legal departments, companies can also consider relevant cyber experience when adding to their legal staff. Cate suggests looking for someone with practical experience if a company wants to engage outside counsel.
“Just like with surgeons, you don’t want to be your outside counsel’s first case,” he says. “So the key question would be, what other clients have you worked with in the past and what cyber-related services have you provided them?”
For lower-level positions, like hiring an incoming junior attorney, companies should look for educational background, relevant—but less advanced—experience, and “a real passion for the field,” Cate adds. “Smart people can learn a lot on the job, and many companies make the mistake of not using their own IT and risk management expertise to help train their lawyers.”
Educating general counsel and hiring general counselors who focused on cybersecurity during their time at law school could be beneficial to corporations given that cyber law will remain a prominent issue for corporate leaders, the Hanover report finds.
Having lawyers play a proactive role in corporate cybersecurity isn’t a silver bullet, but Cate says that it is necessary to tackling the growing problem.
“I’m not in any way suggesting that we could solve cybersecurity issues just by having more lawyers involved,” he explains. “But if we don’t think more about law and legal regulation and legal incentives, we will never solve this problem.”