What Is a Cybersecurity Legal Practice?

A Macbook computer (Quentin Meulepas/https://flic.kr/p/6idQDx/CC BY 2.0/https://creativecommons.org/licenses/by/2.0/) Recent surveys by the Association of Corporate Counsel (ACC) consistently reveal that one of the top concerns for general counsel at private companies is cybersecurity. This concern is certainly well placed, given the steady stream of alarming incidents involving the security of sensitive data. As a result, corporate general counsel are increasingly hiring, or aware of the need for, an attorney who focuses on “cybersecurity.” But what does that specifically mean? What should be in that lawyer’s portfolio? This is a question I have confronted in the past several years as I helped build the Office of the Chief Counsel at the new Cybersecurity and Infrastructure Security Agency (CISA). Our team of lawyers has a broad portfolio, including supporting responses to the most complex cyber incidents facing the country, negotiating complex technology agreements, developing legal and governance frameworks to address threats of emerging technologies and nation-states intent on compromising them, drafting legislation, and responding to audits and investigations. CISA, of course, is not a private company, but I hope my experience in building a cybersecurity practice for CISA will help general counsel seeking to build a cybersecurity practice within their company. (Our practice of law is much broader than cybersecurity, as CISA helps its stakeholders to build more secure and resilient infrastructure. Thus the office focuses on the broader law of critical infrastructure and, as is typical in a corporate law office, the legal issues associated with managing the business operations of a growing organization.) Moreover, it is in CISA’s strong interest to see the discipline of cybersecurity law develop and mature. Too often, the agency’s offers to help a company that is under attack are delayed for days (or even weeks) because a corporate counsel’s office is trying to become familiar with the subject matter. Government agencies such as CISA will be more successful in helping companies if corporate attorneys are knowledgeable about the law in this area.  What is the current state of the cybersecurity practice of law? In the past five years, the ACC has conducted three surveys of corporate law departments regarding how they approach data security and privacy issues. In the latest survey , published in the fall of 2020, almost 50 percent of chief legal officers expect their (already substantial) role in cybersecurity to continue to increase. For example, more than 70 percent of corporate legal departments play a “significant role” in setting the company’s policies on information sharing with the government. Moreover, the role of chief legal officers in responding to data breaches is growing. In 2015, chief legal officers said they were the primary point of contact for leading the company’s response to a data breach in only 4.6 percent of cases; in the 2020 survey, that proportion had jumped to 21.2 percent.  But the data also shows that the practice of cybersecurity law is still very much in the early stages. According to the surveys, companies are all over the map when it comes to personnel responsible for leading the response to a data breach—companies have identified seven different senior corporate positions as the primary incident response leader (CEO, chief information officer [CIO], chief information security officer [CISO], “head of IT,” privacy officer, chief risk officer and chief legal officer). The 2020 survey also shows that almost 75 percent of corporate legal departments have not developed internal processes to leverage existing information-sharing statutes such as the Cybersecurity Information Sharing Act of 2015. When asked why the company does not share information with the government, the vast majority of respondents, almost 75 percent, answered: “Our organization does not have the resources or knowledge base to engage in these types of programs.” If these surveys are any indication, the practice of cybersecurity law is still quite nascent. Where does the cybersecurity attorney fit in an organization?    A cybersecurity attorney is not an auditor; this attorney does not sit in an ivory tower doing oversight of the company’s information technology work. Instead, corporate officers must recognize that a cybersecurity attorney must be a part of the operational team. The attorney should be as involved in the company’s operations as the information technology expert deploying new defensive measures in the company’s networks. An effective cybersecurity attorney has to be in the trenches, helping to develop the statements of work for new contracts, negotiating information-sharing agreements, advising on legal risks associated with the many and varied daily decisions of securing networks, and managing the hour-by-hour response during an incident. What legal grounding does the cybersecurity attorney need? A cybersecurity attorney must establish a strong base in foundational cybersecurity statutes in order to contribute effectively to the company’s operations. These statutes include the Electronic Communications Privacy Act (including the Computer Fraud and Abuse Act and the Stored Communications Act), the critical infrastructure provisions of the Homeland Security Act, the Cybersecurity Information Sharing Act of 2015, the Federal Trade Commission Act (FTCA), data breach notification laws, applicable sector-specific state and federal laws (particularly for the financial, health care and government contracting sectors), and many others.  The cybersecurity attorney also needs a firm understanding of privacy law. While the two disciplines are distinct, one of the core functions of a cybersecurity attorney is to ensure the company properly stewards the data entrusted to it. Therefore, the cybersecurity attorney must be—at a minimum—conversant in privacy law. Privacy regimes impose requirements to improve the security of data because security enables data to remain private.  Finally, a cybersecurity attorney must be multilingual in the jargon of both law and tech. One of the key jobs of such an attorney is to translate legal requirements (such as obligations imposed by regulations) into design requirements and to understand the technical details enough to ask probing questions, spot legal issues and translate risks to organizational leadership. The attorney must be a Rosetta Stone—translating the law into language technologists can understand—and vice versa. Therefore, the attorney needs to understand the basics of technology, or at least have a curiosity and drive to learn. What subject areas should be in the attorney’s portfolio? Government In cybersecurity, companies must expect to engage with government—it is inevitable. A cybersecurity attorney must understand the delineation of each government agency’s authorities. The attorney should know the answer to the question: “What can X do to us?” But the attorney should also know the answer to the question that is often not asked (primarily due to ignorance): “How can X help us?” Congress has given CISA, the FBI and other government agencies authorities that permit them to be significant assets to a private company. The agencies can even go as far as providing needed capabilities and tools. Moreover, government lawyers often seek to negotiate novel public-private arrangements that benefit both the company and the larger ecosystem. Corporate counsel need to have a strong grounding in cyber and national security law so that they do not evaluate the proposed deal as a simple commercial contract but, rather, as an opportunity for the company to access and leverage uniquely sensitive government data. Beyond knowledge of statutes, the cybersecurity attorney should also be able to help the company build relationships with key government agencies. Relationships with agencies such as CISA, the FBI, the state attorney’s general office, the Securities and Exchange Commission, the Federal Trade Commission (FTC) and others are critical. The attorney can often be helpful in establishing and maintaining those relationships. For instance, many government agencies approach companies from a law enforcement or regulatory perspective, so they are comfortable dealing with attorneys. The cybersecurity attorney and the company’s CIO and CISO should all have relationships with these agencies.   A cybersecurity attorney needs to understand the regulatory landscape. This should include, for example, the work of the FTC under Section 5 of the FTCA, a law with significant data security implications for many companies. The attorney should fully understand the regulations that govern the company’s work, and should work closely with the cybersecurity team to document the alignment of the company’s policies and controls to those regulatory provisions. The attorney should also ensure a process is in place for each control associated with a regulatory requirement to be monitored for adoption and performance. More broadly, the attorney should understand regulatory frameworks in other sectors; the regulations adopted in one sector might be adopted in others,
What Is a Cybersecurity Legal Practice? posted first on http://realempcol.tumblr.com/rss