Does Your Organization Need a Cybersecurity Lawyer?

Legal specialists highly trained in cybersecurity law can offer your organization several key benefits.

Cyber risk has become one of the most serious concerns for businesses in almost every industry. Despite significant advancements in security tools, bad actors are persistent, patient and increasingly sophisticated in their knowledge of how the companies they target operate. Given the potential severity of a cyber incident, many businesses are proactively engaging lawyers with cybersecurity proficiency.

Financial damage is only part of the story. Cyberattacks can leave businesses that handle sensitive and personal data in violation of laws and industry regulations, and companies may also suffer reputational consequences if a data breach becomes public.

For these reasons, a cybersecurity lawyer can be invaluable in assessing and mitigating risk before an incident occurs. “Cybersecurity counsel is available to help you before, during and after a cyber event,” says Carrie Fowler, Assistant General Counsel at Regions Bank.

Strong cybersecurity legal counsel can be a critical element of any cyber response team. As Fowler says, “You’re looking for your cybersecurity counsel to be a quarterback.” An experienced counsel can bridge the gap between your IT and legal departments, helping with everything from creating a compliance program for your organization to finding the most appropriate cyber liability insurance for your business.

Do You Need a Cybersecurity Attorney?

Companies that collect valuable information—such as personal health or financial data, Social Security numbers or biometric data—make especially attractive targets for ransomware, data exfiltration and other attack methods.

“Of course, we get concerned about consumer-driven data, but we also look out for nonpublic information that could also be considered sensitive,” notes Fowler. “It depends on what the business considers highly sensitive or confidential.”

In fact, if your business conducts any business or sales online, or relies on cloud services or products, it carries some level of cyber risk. That, in turn, may justify engagement with a cybersecurity legal professional or obtaining specific cyber insurance coverage.

Mitigating Risk

All businesses—regardless of their size, business dealings or data holdings—should be proactive in their attempts to mitigate risk. But some, due to the sensitivity of the data they store, require extra vigilance. Breaches in health care organizations, for instance, can lead to significant costs. “The greater the volume or sensitivity of the data, the more you should be doing to protect that data preemptively,” says Fowler.

Likewise, international business relationships can further complicate adjudicating exposure and legal needs. For example, organizations that collect data belonging to individuals in the European Union are required to comply with the General Data Protection Regulation, or GDPR.

The Benefits of Attorney-Client Privilege

Another benefit to having a cybersecurity lawyer is attorney-client privilege, the legal privacy built into the attorney-client relationship. “The concept of privilege is important,” says Fowler. “But remember that it has nuances that are very important for all parties to understand from the start of a relationship.”

Ultimately, attorney-client privilege is a complex topic—and one that depends in principle on the expectations and agreements between your organization and counsel. Businesses should make a proactive effort to understand which aspects of the relationship will and won’t be covered by the attorney-client privilege.

Finding the Right Cybersecurity Attorney

Given the unique skill set the role requires, your search for cybersecurity counsel should hinge on two key elements—experience and aptitude—rather than existing relationships. “Cybersecurity attorneys have a very specific background and skill set,” says Fowler. “This means a firm that may represent your business in other areas may not necessarily be the right firm to be your cyber counsel.”

Fowler says you should look for “someone who has a true technology background,” such as an attorney with technical credentials or experience as a working technologist. Consider starting your search with your existing business partners. Can your in-house counsel or partner legal firm provide a strong referral? Can your cybersecurity insurance broker provide you with a list of qualified attorneys?

Evaluating the Background of Prospects

As with any vendor, seek out relevant past work and a proven record of success. “Most law firms publish a summary of the type of work they perform,” says Fowler. “If a firm is known for providing cybersecurity guidance, it will usually include that information on its website.”

Fowler recommends senior leaders bring prospective firms or counselors in for in-person interviews. “You’re going to have to do your own due diligence on their cybersecurity practices, their services and their general cyber hygiene to make sure you are comfortable with them as a long-term vendor,” she says. “That typically requires that you meet and ask them candid questions about their cybersecurity practices and how the firm can support your company’s cybersecurity needs.”

Better yet, you can ask a prospective firm to engage in a few evaluation exercises to help you get a better sense of its approach. For example, you might consider asking the attorneys to describe what high-level steps they’d take to protect your business from cybercrime. “You want to evaluate them in a noncrisis situation to see if they’re a good fit,” explains Fowler.

Finding the right counsel requires time—and the time to start your search is well before any incident occurs. An experienced individual will need time to become familiar with your organization, and much of their value can come in the form of counsel as you develop or refine an incident response plan. Even a seasoned professional you engage in the heat of an actual breach may not have enough time to assess the situation and offer their best advice.

Factoring In the Importance of Culture Fit

In any leadership position, trust, emotional intelligence and communication style all contribute to a strong working relationship. Since effective cybersecurity lawyers will need to work cross-functionally across many areas of your business, their working style should ideally fit your organization’s culture. Consider whether your teams will respond best to someone with a direct, professional approach or someone who exhibits more patience.

For Fowler, it’s all about balance. “You should look for someone who can be an effective translator between the business, IT and legal folks,” she says. Communication speed can be crucial for many organizations. As such, it’s a good idea to establish clear expectations around response times and communication upfront.

Cybersecurity Counsel Without a Retainer

Although many organizations would benefit from a cybersecurity attorney in today’s environment, those with budget constraints may not be able to keep one on retainer. Fowler suggests that organizations consider engaging the assistance of cybersecurity counsel for the following tasks:

  • Creating a cybersecurity incident response plan
  • Establishing internal and external communication strategies
  • Adapting your cybersecurity policy for remote workers
  • Developing a procedure for investigating cybersecurity incidents
  • Creating a system-testing process and regularly updating your cybersecurity plan
  • Assessing a need for cybersecurity insurance, identifying the appropriate level of coverage and advising on the terms of the coverage

The wisest course of action for any organization is to begin the process of identifying and vetting a qualified cybersecurity attorney well before the need for one arises. Because when it does, having a legal partner who knows your business may be the key to safeguarding your organization from damage.

Preventing and detecting fraud relies on strong controls, understanding your business’s risks and being vigilant in addressing them. For more cybersecurity insights, visit

Three Things to Do

  1. Discuss your cybersecurity risks with your relationship manager.
  2. Learn how to prepare for new data privacy laws.
  3. Determine your vulnerability to cyber threats.


The information presented is general in nature and should not be considered, legal, accounting or tax advice. Regions reminds its customers that they should be vigilant about fraud and security and that they are responsible for taking action to protect their computer systems. Fraud prevention requires a continuous review of your policies and practices, as the threat evolves daily. There is no guarantee that all fraudulent transactions will be prevented or that related financial losses will not occur. Visit, or speak with your Banker for further information on how you can help prevent fraud. References or links to third-party websites do not imply endorsement.