Yes. I just asked that. For many, the response is likely “Yes! Of course we are! It’s *&^%$% cybersecurity – it’s complicated!” To which I would respond “Touché. It is…but it needn’t be overly complicated.” So, of course, I set out to find a complicated way to simplify it. And, in the spirit of National Cyber Security Awareness Month, I thought I would share two complicated ways to simplify your cybersecurity processes.
The Two-Track Process
It goes without saying that lawyers need to be involved in breach remediation. Best practices also suggest that lawyers need to be involved in cyber-security plan preparedness. That is a concept that is starting to take root in savvy companies proactively addressing cybersecurity. However, there is a new push suggesting that lawyers should be involved during the “continuous monitoring” phase, i.e., that “meat in the sandwich” portion of cybersecurity where day-to-day operations are ongoing and systems are being examined to ensure their integrity. That’s where I’d like to pause the conversation for a minute and focus our collective attention.
Generally, attorneys get most involved in day-to-day operations when there is an investigation. The primary purposes of having an attorney involved in any investigation is to ensure (a) external review and (b) the protection of findings under the attorney-client privilege. In terms of addressing or identifying a cyber threat, these are both important objectives. After all, privilege is a powerful tool and one that both attorneys and clients protect zealously. When investigating if something went sideways, it is imperative for a company to protect that process while assessing what, if anything, it needs to report. This is especially true in the government contracts arena under the Mandatory Disclosure Rule and in the cybersecurity arena when examining potential incidents or breaches. If a company thinks it has been victimized or may be victimized through a cyber event, calling an attorney to oversee the investigation is imperative; letting that attorney hire independent, technically astute consultants, under the cloak of privilege, to facilitate that investigation is equally important. Such efforts will allow the company to understand not only what happened, but how, and, potentially, the damage inflicted – how the intruder came in, what he saw, what was broken, and/or what was stolen.
It is important to remember, however, that companies do have existing obligations to protect and defend the information they hold (IP and competitive information, as well as those required by FTC, SEC, HIPAA, etc.). The information security function needs to be running, at all times, and it cannot operate at all times behind the curtain of the attorney-client privilege. Much like an internal auditing unit, companies should have a dedicated team (generally outside of the IT department that built the systems being audited) assessing on an ongoing and routine basis, the integrity of the company’s networks and data. These folks will be the first line of defense, the “watchers on the wall” who will signal to management and, hopefully, to counsel, that something may be amiss. If and when these folks identify a breach, the company can, and must, determine what routine security functions will continue unabated, and what actions will thereafter be taken at the direction of, and under the control of, counsel.
I raise this simple truth because I think it is imperative that C-suites be made aware of the very real possibility that cyber-incidents will and should include a “dual track” cyber solution. There is a place for privilege, but there is also a place for demonstrating to the government that you did everything you could do to stop the eventual breach. Hacks happen, but hiding too much under privilege may impact the avenues open to a company and may telegraph to regulators that something may have been missed. A far better solution is to ensure that your company is taking the proper precautions to mitigate your cyber liability. Which, coincidentally, brings me to my next point…
Cyber Liability Calculus
A few weeks back, while teaching a cybersecurity course, I revealed a formula I call the “Cybersecurity Liability Calculus.” The concept started off as a lark to demonstrate to others just how complicated it is to calculate the liability associated with cybersecurity. But, what it became was a tool, a formula that allows a rather straightforward and all-encompassing approach to gauging a company’s potential cyber-liability.
No formula is helpful if it doesn’t describe that to which it leads, so let me be clear what I mean by “cyber-liability.” It refers to the legal responsibility a company has to maintain and protect information, and the consequences for failing to do so. An important and vital note here is that I am not using the word “compliance.” After discussing the concept of “compliance” with many in the industry, it is becoming increasingly clear that the “check-the-box” mentality associated with compliance is anathema to the dynamic and volatile world of cybersecurity. While compliance works in many arenas, we may do well to avoid the word and its connotations in the cybersecurity sense. So, with that in mind, I reveal to you, the “Cybersecurity Liability Calculus:”
CL = f(Dt, Do, 2Dl, CuI, R, P, T3)Sc
Simple, right? Sure, it’s no Euler line (Google it). And Pythagoras may find it pedestrian, but it works for identifying what, exactly, a company must consider when attempting to capture and understand its cyber-liability. Solving for CL will be your first step to addressing your data and system security requirements.
So there you have it, complex ways to simplify the complexities of cybersecurity. Our gift to you!
Happy National Cyber Security Awareness Month!
This post first appeared in the Government Contracts Blog.