A recently-released research study published by Indiana University’s Bloomington School of Law highlights the rising importance of cybersecurity law and provides current insights on the role lawyers are playing to help protect companies from cyber threats. The study, entitled “The Emergence of Cybersecurity Law,” is based on a survey of corporate law departments as well as interviews conducted with lawyers, consultants, and academic experts.
The report finds that although companies increasingly recognize the importance of cybersecurity, few are fully prepared to face the challenge. Substantial numbers of corporate leaders lack confidence in their organizations’ level of preparedness—in part the result of a shortfall of cybersecurity literacy within organizations. While cybersecurity may once have been the domain of IT professionals, companies now recognize that having legal and other disciplines engaged is also necessary. The implication is that lawyers must master the patchwork of legal issues and regulations relevant to cybersecurity risk management, while developing sufficient technical vocabulary to ask the right questions of their IT counterparts.
Despite the accelerating frequency of cybersecurity incidents, the report finds that companies still too often turn to lawyers only as a reactive measure rather than as part of a proactive process. To help companies protect their employees and customers from cyber threats, the report recommends that corporate counsel follow a 10-point cybersecurity agenda first proposed in 2012 by Hogan Lovells Partner Harriet Pearson:
- Fulfill Fiduciary Duty of Board and Management. If a cybersecurity incident occurs, a company will want to be able to demonstrate that management and the board have met their duty for safeguarding the company’s valuation and assets.
- Address Disclosure Obligations and Appropriate Communications. Training employees on effective internal and external security-related communications reduces risk. Training on communicating factually without speculation and establishing channels for seeking assistance can serve a company well.
- Guide Participation in Public-Private Partnerships and Law Enforcement Interactions. Industry and government forums for sharing threat information, response strategies, and cybersecurity best practices can be a useful part of a company’s cybersecurity program. However, there should be a strategy for company participation and training for individuals involved to reduce risk and avoid conflicts with clients or government authorities.
- Achieve Regulatory Compliance. Companies should assess the regulations relevant to its circumstances, including federal and state-level data security and breach notification laws. However, avoid overinvesting in “check-the-box” compliance efforts that may hinder more effective cybersecurity measures.
- Provide Counsel to Cybersecurity Program. Companies should appoint or identify legal counsel to become familiar with the security program and legal issues potentially raised by its implementation. These individuals should be prepared to bring any policy issues or potential legal risks to senior management or the board.
- Prepare to Handle Incidents and Crisis. Counsel can help prevent escalation of an incident to a crisis by helping guide sessions to prepare the company with a plan of action for incident response. Identify key internal and external resources for managing incident response, consider involving senior management in a tabletop exercise, and consider in advance what legal issues are implicated during an incident.
- Manage Cybersecurity-Related Transactional Risk. Mergers and acquisitions, vendor/supplier contracts, and consumer/client contracts can all implicate cybersecurity-related risk. Create a due diligence checklist and approach to cybersecurity issues, review contractual provisions, and review the vendor oversight program to integrate cybersecurity risk considerations into approach.
- Effectively Use Insurance. Insurance can be a valuable way to protect a company, but the exclusions and conditions of the insurance should be examined carefully. Cybersecurity insurance products have improved since their first introduction to the market over a decade ago.
- Monitor and Strategically Engage in Public Policy. Stay informed of developing policy standards, engage in advocacy as appropriate via industry associations, coalitions and the like, and otherwise engage in conversations on key issues so that policymakers and industry leaders are aware of company positions and concerns.
- Discharge Professional Duty of Care. Corporate and outside counsel should take precautions to protect client and related information, particularly when using or relying upon e-mail, social media, cloud, and other digital capabilities.
Looking forward, the challenge of cybersecurity is likely to remain a prominent issue for corporate and other leaders. Cyber threats are likely to present themselves in novel forms with accelerating frequency, while legal and regulatory requirements are also likely to change. Both the White House and Congress are closely examining cybersecurity proposals on subjects ranging from data breach notification requirements to cyber threat information sharing and targeted liability protections. As this dynamic landscape continues to evolve, Hogan Lovells’ global team of experienced lawyers and technical professionals will continue to offer counseling on the full range of cybersecurity issues.