A CISO and Outside Cybersecurity Counsel: A Marriage Made in Heaven

Frequently people ask, “why would a company [or organization] need a good cybersecurity and data privacy attorney”? A CISO (chief information security officer) should be able to handle everything, right? She should be intimately familiar with the corporate network infrastructure, all of the current policies, procedures, SOPs, and guidelines, all existing privacy and security regulations/requirements, all proposed privacy and security regulations/requirements, cybersecurity best practices, and all recent case law. Sure, that breadth of knowledge and experience is easy to find…right?

Wrong! A good CISO is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, but the granular nature of the knowledge base cannot be the responsibility of just one person.  To create an effective enterprise-wide program requires more than just a team of one. It takes a team approach. That includes SMEs (subject matter experts) that a CISO can call upon to ensure that her organization has an expansive and up-to-date information on the current state of data privacy and security, and allows the CISO to keep that “thirty-thousand foot view”. However, it is not just the formalities of roles that should be the driving force behind having outside data privacy and cybersecurity attorneys involved- it is a necessity.

With nearly every cybersecurity expert agreeing that a breach is a matter of when and not if, having knowledgeable counsel available to guide you through the process is critical.  An attorney who really understands how the organizations network infrastructure works so that she can effectively communicate with the forensic technologists that are working on a breach is a real differentiator in terms of response time and the costs associated with a breach.

But organizations should not wait for the inevitable to bring in attorneys to work with them on issues of data security. Attorneys can and should play a multitude of roles that can reduce costs even before a breach occurs.

Attorneys can play a critical role in creating a “reasonable” and defensible cybersecurity and data privacy posture. Attorneys who are working with a CISO, prior to a breach, can legally evaluate the best way for an organization to collect and store data.  In addition, attorneys can advise on data destruction without fear or concern of spoliation (i.e. the destruction or deletion of data when it should be under a litigation hold). Attorneys also negotiate critical data privacy and security provisions in contracts with vendors who access, use, store, and share data.

However, a general awareness of cybersecurity and data privacy is not enough.  Nearly every attorney claims to be cognizant of cybersecurity and data privacy concerns, but given the rapid changes in technology and the law, a general awareness alone can be dangerous; attorneys need to have specialized knowledge in this field in order to effectively provide legal counsel.  CISOs should be using attorneys who focus in this area exclusively otherwise the attorney could miss critical nuances in both the law and technology. And, attorneys could run afoul of their ethical obligation of competence if they simply dabble in cybersecurity and data privacy.

CISOs should also find attorneys who take a global approach to the practice of cybersecurity and data privacy.  Laws have borders, but data does not. Using an attorney who have exposure to cross-border data challenges can help to safeguard an organization because the attorney will understand when/if the data is being shared or transferred to a foreign jurisdiction and be able to appropriately advise the CISO on the ramifications of that data sharing or transfer.  Are there data privacy laws that have data localization requirements? Does the organization have a lawful basis to transfer the data out of the country? These are just some questions that a practitioner in this area needs to be aware of and can use to act as both legal and strategic counsel to the CISO.

Another good reason for engaging outside counsel early on is to give the CISO perspective and allows an “independent” view point and sounding board for a CIO or CISO. Also, in the event of a breach it would give a clear delineation of the attorney-client privilege as opposed to in-house counsel where the lines get blurred in terms of what is business advice as opposed to legal advice. Outside counsel is giving legal advice, because that is their sole purpose, even if it has tinges of business advice. When outside counsel is engaged and understands a client’s systems and data flows, they can also be more efficient when they are responding to a breach.  

All in all, engaging a law firm early on can save an organization time and money in the long run. Having an attorney brought in after a breach can be costly because they have to “learn” the organization.  Bringing outside counsel in early so that she is already familiar with the company and its network, along with an existing working relationship with the CISO is key. Every CISO should have an arsenal of weapons at their disposal and good cyber/privacy counsel is one of them.  And remember, having a CISO with a team of professionals ready to go is preparedness in its highest form because, as you well know, luck favors the prepared.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.