Legal specialists highly trained in cybersecurity law can offer your organization several key benefits.
As phishing and ransomware schemes get bolder and data breaches become more common, even seemingly bulletproof businesses are engaging cybersecurity lawyers to help bolster all facets of their cybersecurity and mitigate risk.
“Cybersecurity counsel is available to help you preemptively, during a response to a cyber event, and then post-event,” says Christine Baylet Bergeron, Assistant General Counsel at Regions Bank.
Beyond simply providing support in the event of a cybersecurity incident, good counsel also delivers several other essential services. Carrie Fowler, Assistant General Counsel at Regions, says, “You’re looking for your cybersecurity counsel to be a quarterback.” She explains that counsel can bridge the gap between your IT and legal departments, helping with everything from creating a compliance program for your organization to finding the most appropriate cyber liability insurance for your business.
Do You Need a Cybersecurity Attorney?
If your company collects data, conducts business online, or otherwise relies on cloud services, you may eventually find yourself in need of legal counsel specializing in cybersecurity.
Your organization’s individual needs and the extent of a cybersecurity lawyer’s participation should be based on the type of data you possess. Personal health information, financial data, Social Security numbers, and biometric data (such as fingerprints or iris scans) are all examples of sensitive data that may require expert legal oversight — and specific cyber insurance coverage.
“Of course, we get concerned about consumer-driven data, but we also look out for nonpublic information that could also be considered sensitive,” notes Fowler. “It depends on what the business considers highly sensitive or confidential.”
Mitigating risk
All businesses — regardless of their size, business dealings, or data holdings — should be proactive in their attempts to mitigate risk. However, certain organizations should be even more fastidious in their approach to cybersecurity. “The greater the volume or sensitivity of the data, the more you should be doing to protect that data preemptively,” says Baylet Bergeron. Likewise, international business relationships can further complicate adjudicating exposure and legal needs. For example, organizations that collect data belonging to individuals in the European Union are required to comply with the General Data Protection Regulation, or GDPR.
The benefits of attorney-client privilege
Another benefit to having a cybersecurity lawyer may include privilege, the legal privacy built into the attorney-client relationship. “The concept of privilege is important,” says Fowler, “but it has nuances that can be hard to grasp.”
Ultimately, attorney-client privilege is a complex topic — and one that depends in principle on the expectations and agreements between your organization and counsel. Businesses should make a proactive effort to understand which aspects of your relationship will and won’t be covered by the attorney-client privilege.
Finding the Right Cybersecurity Attorney
Given the rare skill set the role requires, your search for cybersecurity counsel should hinge on two key elements — experience and expertise — rather than existing relationships. “Cybersecurity attorneys have a very specific background and skill set,” explains Baylet Bergeron. “This means a firm that may represent your business in other areas may not necessarily be the right firm to be your cyber counsel.”
Fowler adds that you should look for “someone who has a true technology background,” such as an attorney with technical credentials or experience as a working technologist.
Consider starting your search with your existing business partners. Can your in-house counsel or partner legal firm provide a strong referral? Can your cybersecurity insurance broker provide you with a list of qualified attorneys?
Evaluating their background
As with any vendor, seek out relevant past work and a proven record of success. “Most law firms publish a summary of the type of work they perform,” Baylet Bergeron explains. “If a firm is known for providing cybersecurity guidance, it will usually include that information on its website.”
Baylet Bergeron also recommends senior leaders bring prospective firms or counselors in for in-person interviews. “You're going to have to do your own due diligence on their cybersecurity practices, their services, and their general cyber hygiene to make sure that you are comfortable with them as a long-term vendor,” she says. “That typically requires that you meet and ask them candid questions about their cybersecurity practices and how the firm can support your company’s cybersecurity needs.”
Better yet, you can ask a prospective firm to engage in a few evaluation exercises to help you get a better sense of its approach. For example, you might consider asking the attorneys to describe what high-level steps they’d take to protect your business from cybercrime. “You want to evaluate them in a noncrisis situation to see if they’re a good fit,” explains Baylet Bergeron.
Most importantly, finding the right counsel requires time. In the midst of a cybersecurity breach, exigent circumstances might lead you to act impulsively — and that could be a mistake. “You should be looking for this individual before an incident happens,” she says, especially since the process to engage counsel can take weeks.
Factoring in the importance of culture fit
In any leadership position, trust, emotional intelligence, and communication style all contribute to a strong working relationship. Since effective cybersecurity lawyers will need to work cross-functionally across many areas of your business, their working style should ideally fit your organization’s culture. Consider whether your teams will respond best to someone with a direct, professional approach or someone who exhibits more patience.
For Fowler, it’s all about balance. “You should look for someone who can be an effective translator between the business, IT, and legal folks,” she says. And according to Baylet Bergeron, communication speed can be crucial for many organizations. As such, it’s a good idea to establish clear expectations around response times and communication upfront.
Cybersecurity Counsel Without a Retainer
Although many organizations would benefit from a cybersecurity attorney in today’s environment, those with budget constraints may not be able to keep one on retainer. Baylet Bergeron suggests that organizations consider engaging the assistance of cybersecurity counsel for the following tasks:
- Creating a cybersecurity incident response plan
- Establishing internal and external communication strategies
- Adapting your cybersecurity policy for remote workers
- Developing a procedure for investigating cybersecurity incidents
- Creating a system testing process and regularly updating your cybersecurity plan
- Assessing a need for cybersecurity insurance, identifying the appropriate level of coverage, and advising on the terms of the coverage
The wisest course of action for any organization is to begin the process of identifying and vetting a qualified cybersecurity attorney well before the need for one arises. Because when it does, having a legal partner who knows your business may be the key to safeguarding your organization from damage.
Preventing and detecting fraud relies on strong controls, understanding your business' risks, and being vigilant in addressing them. For more cybersecurity insights, visit regions.com/fraudprevention.
