The Law of Cybersecurity & In-House Counsel
Last month saw an interesting study emerge from the Maurer School of Law at Indiana University. It discusses the current and potential role of lawyers in the area of cybersecurity and the emerging, but still nascent, field of cybersecurity law. This is not a topic one sees today at CPD sessions for lawyers and that alone makes the paper worth reading, especially for corporate counsel.
The Emerging Law of CyberSecurity has a lot of interesting tidbits, especially a survey of corporate law departments.
According to this study, cybersecurity is:
1. Increasingly a legal issue as much as a technical one, given the American patchwork/sectoral approach to breach notification/security/privacy. This argues for a greater role for in-house counsel in the implementation of managerial, operational, and technical controls.
2. Becoming a “high concern” for legal departments, which translates into business opportunities for external legal counsel: a small market now but one with lots of upside. The top in-house concerns about cybersecurity incidents were the possibility of customer lawsuits and the potential loss of confidence by investors/shareholders.
3. Making in-house counsel more active. Almost 70 percent of those surveyed reported proactive involvement in cybersecurity. This is, in part, a result of increased pressure from regulatory agencies, such as the Securities and Exchange Commission.
Another glimpse into the role of lawyers in cybersecurity was how they met a 10 point “agenda” developed by Harriet Pearson (IBM’s first global privacy officer). That agenda, which can be found in an article here, qualifies as required reading for corporate counsel. In this Indiana study, it is used to map counsel roles to existing responsibilities. These agenda items can be considered “duties” and are presented below. The “numbers” indicating involvement in that activity, interestingly enough, are low.
Pearson’s Cybersecurity Agenda for Corporate Counsel & Survey Responses
1. Fulfill Fiduciary Duty of Board and Management: Prove the company’s directors and management met their duty to safeguard the company’s stock price and assets. (32% of respondent counsel said they were involved in this activity)
2. Address Disclosure Obligations and Appropriate Communications. Conduct training for effective internal and external communication during cybersecurity incidents. (48%)
3. Guide Participation in Public-Private Partnerships and Law Enforcement Interactions. Manage information sharing to reduce risk and avoid conflicts with clients or government authorities. (10%)
4. Achieve Regulatory Compliance. But avoid “check- the-box” compliance efforts that may hinder effective cybersecurity measures. (46%)
5. Provide Counsel to Cybersecurity Program. Bring policy issues or potential legal risks to senior management or the board. (13%)
6. Prepare to Handle Incidents and Crisis. Identify internal and external resources and consider in advance what legal issues may arise during an incident. (53%)
7. Manage Cybersecurity-Related Transactional Risk. Whether M&A, vendor management or customer contracts, create a “due diligence” checklist and approach to cybersecurity issues. (43%)
8. Effectively Use Insurance. Use insurance (it’s better than it used to be) but check the exclusions and conditions. (28%)
9. Monitor and Strategically Engage in Public Policy. Stay informed and engage in advocacy to build awareness of company positions and concerns. (22%)
10. Discharge Professional Duty of Care. Protect client and related information, particularly if it involves electronic communications and social media.
Perhaps the most telling statistic was the fact that 17% the survey respondents admitted to doing none of the above. Half of the survey respondents work in companies with more than 700 employees.
I’m likely doing both the Indiana study and Pearson’s article a disservice in my summary here and would encourage the reader to read both in full.
What strikes me as significant about the above list is the fact that it requires “translation” skills on the part of legal counsel. In some instances, interpreting technical risks so as to minimize legal consequences; in others, communicating those risks and their legal consequences to interested stakeholders.
This study represents an interesting look at how corporate counsel interact with cybersecurity risks. For better or worse, this is something more and more in-house counsel will be doing over the coming years.