August 14, 2017

Cybersecurity: As a risk management challenge, lawyer involvement critical – not just an IT problem

Protecting a business of any type or size from hackers, ransomware and other cybersecurity threats is a multifaceted, firm-wide problem that requires the expertise of lawyers, a panel of cybersecurity experts warned at a discussion during the ABA Annual Meeting in New York on Saturday, Aug. 12. 

“Cybersecurity is not an IT problem,” Suzanne Spaulding, former Department of Homeland Security Under Secretary for cybersecurity and critical infrastructure protection, told the audience at the event, “Cyber Risk Management: How Should Lawyers, Corporations and Governments Deal with Risk.” “This is a risk management challenge, and all of us know how to do risk management—you do it every day...Do not shove it to the IT Department. “

In her introductory remarks, Judith Miller, co-chair of the ABA Cybersecurity Legal Task Force, stressed the integral role of lawyers in protecting companies.

“Lawyers are such an important part of our getting it right on cybersecurity,” she said.  She proffered the second edition of the ABA Cybersecurity Handbook, due out this fall, which offers practical cyberthreat information, guidance and strategies to lawyers and their law firms on how to defend against cyberthreats and how to respond if their firms are hit.

In a wide-ranging discussion moderated by Harvey Rishikof, chair of the ABA Standing Committee on Law and National Security Advisory Committee and co-chair of the ABA Cybersecurity Legal Task Force,  the four-member panel addressed top-level issues in the field of cybersecurity as well as offered practical advice to law firms and other businesses on protecting themselves from a danger that has longed moved past the theoretical.

They cited recent cyber attacks on large law firms, as well as cyber attacks’ impact on issues as diverse as M&A deals. In Verizon’s recent acquisition of Yahoo, panelist Harriet Pearson of Hogan & Hartson, a corporate data privacy and cybersecurity expert, said that massive data breaches at Yahoo affected Verizon’s purchase price of Yahoo. It ultimately knocked $350 million off the deal.  Pearson said the incident pointed out that lawyers now need to ensure that a cyber risk assessment is done in advance of an M&A deal to assess the acquiring company’s liability cybersecurity.

For lawyers, preparing a company for what panelists called the “inevitable” cyber attack includes negotiating a complex landscape involving international, domestic and even state-level digital regulatory issues, governmental crackdowns on online privacy, liability issues in the event of a data breach and even employee rights.

James A. Lewis of the Center for Strategic and International Studies said that liability is “unavoidable” as computer devices get embedded in more and more things. “The standard joke is when your computer crashed, you were OK [legally]. When your car crashes, you’re going to sue,” he said. That’s not true anymore, he said.

Lawyer’s responsibility in the cyber arena also involve understanding the operations across their company, even including marketing. “You don’t have to be a tech expert,” Pearson said. But, “the best GCs are the ones who are unafraid to ask the tough questions.”

On a practical level, the panel offered a range of advice on how firms can protect themselves.

As lawyers lead cyber risk assessmenst, Spaulding advised them to look at consequences of an attack first.  In the context of data, she urged the audience, what would you do if you couldn’t access your data? What would you do if you could not rely on the reliability of your data? Then companies can put together a plan to address their vulnerabilities and prioritize fixing the potential problems, she said.

Other advice from panelists: thoroughly train employees on recognizing and avoiding phishing attacks, outsource their email, move to cloud data storage, and “force your staff to use real passwords,” said Lewis.

“Frankly,” Spaulding said, “lawyers can be part of the problem or part of the solution.”