Cyber: What Is the Role of an Attorney?

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Bar News
May 18, 2022

Businesses often mistakenly believe that cyber is task for information technology (IT). They do not know that attorneys play a critical role in security and privacy, or they do not understand the scope or significance of these legal services. A few examples are as follows:

  • Risk management within privilege
  • Breach and security incident response
  • Transactions and vendor management
  • Privacy law compliance

For many attorneys, these tasks are foreign, but that is not unusual. For example, most family law practitioners do not know how to write a patent, and most trial attorneys would be ill-suited to manage a corporate merger. However, as advisors to our clients, being aware of the role of cyber attorneys is important to advise them about the scope and significance of these services.

Risk Management Within Privilege

Cyber security requires a comprehensive risk assessment of the business, preparation of a detailed report listing and categorizing its vulnerabilities and areas of non-compliance, and creation of a plan to mitigate and remediate those risks. That process involves all parts of the business (not just technology), and requires close interactions with owners, board members, and executives, managers and employees from all business segments (not just IT).

A cyber attorney is a valuable business counselor through that risk management process. For example, rating and categorizing different types of vulnerabilities, and designing a strategy and plan to implement solutions to mitigate or remediate them within the budget and culture of the business, while also ensuring that the business complies with then existing and upcoming cyber security and privacy regulatory and contractual requirements, requires a team approach of a cyber attorney alongside collaborative IT professionals and committed business leaders.

Also, businesses that conduct cyber security risk management only with an IT firm often become concerned about whether the recommendations made by that firm are truly necessary or efficient, since the IT firm is typically proposing to provide the services itself. Involving a cyber attorney in that process helps ensure that the business is confident that the recommendations resulting from the assessment are truly necessary and appropriate for the business.

Equally important is the privilege that attaches when a business uses a cyber attorney. Risk assessment reports can serve as roadmaps for regulators to use to conduct audits and levy huge fines against businesses, or for litigants to use in lawsuits against businesses arising out of breaches. If a business uses only an IT firm to conduct the risk management process without the central involvement of a cyber attorney, all of the highly damaging documents created in that processes lack the vital protection of privilege.

Breach and Security Incident Response

Responding to and remediating a breach or security incident is a complicated legal crisis management process. A cyber attorney directs the client’s activities, determines the scope of the breach and the client’s resulting notification obligations, and retains and manages the work of forensics experts, public relations professionals, and firms that provide notification, call center, and identity and credit protection services, all within the protection of privilege.

Breach response also requires cyber attorneys to interact with vendors, customers, and other third parties that caused or were impacted by the breach, particularly with respect to the contractual rights and remedies between the parties. Those interactions can become legally complicated and contentious, particularly if not handled adeptly. Responding to a breach also frequently involves negotiating with insurance carriers, and either securing rapid and comprehensive payment or otherwise negotiating coverage for the breach.

Cyber attorneys commonly handle the most difficult inquiries by individuals affected by breach. In doing so, it is critical to have the ability to knowledgeably discussing the breach in terms that are understandable to those individuals, while simultaneously providing helpful assistance and demonstrating real compassion without admitting fault.

Finally, regulatory actions following breaches can be punitive and difficult to challenge. Skilled cyber attorneys implement measures both during the breach response and immediately afterwards that can significantly mitigate the scope of the regulatory audit and the potential magnitude of fines issued by regulators.

Transactions and Vendor Management

 The value of a business often depends not just on the information that the business possesses but also the systems that the business uses to monetize that information. Thus, when one business is interested in acquiring another, it is critical for the buyer to conduct thorough due diligence with respect to the cyber security and privacy practices and safeguards of the seller. Similarly, when a business anticipates potential acquisition, it must take steps in advance of such an acquisition to ensure that it has implemented appropriate practices and safeguards. A cyber attorney plays a critical role in these transactions, both with respect to preparing a business for acquisition, as well as reviewing cyber security and privacy due diligence materials during acquisition.

Businesses that provide information to cloud service and other vendors are obligated to ensure that the vendors have implemented safeguards at least as stringent as the businesses are required to implement. Cyber attorneys obtain and interpret such vendor due diligence materials, and advise their clients with respect to the potential risks associated with vendors. Those attorneys also negotiate the agreements that businesses must enter into with vendors to protect the interests of the business and ensure that proper safeguards are contractually required of vendors.

Privacy Law Compliance

 Privacy is the newest and most rapidly expanding area of cyber law. These regulations emanate from foreign jurisdictions, like the European Union, Canada, Brazil, Australia, and China, as well as other states, like California, New York, and Virginia. Cyber privacy laws apply to businesses in New Hampshire, because those laws often apply to businesses that possesses personal information about residents of those other states and foreign jurisdictions.

Unlike cyber security laws, which address the safeguards that businesses must implement to avoid loss and theft of information, cyber privacy laws impose requirements and limitations on businesses with respect to their collection, use, and disclosure of information. Such requirements include providing notice to and obtaining consent from individuals before collecting, using, and disclosing information about them. Privacy laws also limit the purposes for which businesses can collect, use, and disclose information, and create rights that individuals have to control the ways in which businesses collect, use, and disclose information about them.

Because of the difference between cyber privacy and security, IT firms rarely help businesses comply with privacy laws, or are necessarily even aware of these regulations. Cyber attorneys play a pivotal role in advising businesses about the applicability and scope of privacy laws, and assisting businesses to implement practices to comply with them.

Proper cyber security and privacy compliance requires a team approach – a skilled cyber attorney working together with collaborative IT professionals and business leaders who are committed to the process. As counselors to our business clients, we should be aware of the role of that cyber attorneys play, so we can advise our clients about the scope and import of these legal services.