20
Legal
Legal counsel increasingly plays a critical role in proactive cybersecurity program
development, deployment, and execution. As with any compliance regime,
cybersecurity lawyers provide legal advice regarding statutory, contractual, and
regulatory duties, as well as recommendations on managing and mitigating
legal risk that may result from audits, investigations, or litigation. Experienced
regulators now expect that organizations will prepare for an incident and will
evaluate their regulatory enforcement decisions through that lens.
The following are some of the key aspects of proactive legal work ows
in cybersecurity:
• Designate a Cyber Lead from Legal. Much of cybersecurity incident
response preparation involves evaluating and managing legal risk. With
no overarching cybersecurity law, counsel should draw from a patchwork
of statutes (e.g., state notication statues), regulations, government
enforcement proceedings, settlements, and guidance, and litigation trends
to assess risk. Legal counsel (internal and/or external) should also be
positioned to “direct” certain incident response preparation activities and
to retain outside forensic and communications experts to maximize the
likelihood that their proactive and reactive work is covered by the attorney-
client privilege.
• Review Policies and Public Statements. If you say you do it, you’d
better do it. That goes not only for public representations (e.g., privacy
statements, service representations), but also internal security policies.
These policies and public disclosures should be regularly reviewed to
represent the current state, and avoid unnecessarily grand or denitive
statements about a company’s cybersecurity program (e.g., “we have bank-
level security” or “we have state-of-the-art cybersecurity”).
• Develop an Incident Response Plan. The Incident Response Plan is the key
operational document that pulls together different aspects of a company’s
response to a security compromise or data breach. Regulators and plaintiffs
focus on not only the technical security measures in place, but also the
speed, efciency, and effectiveness of the company’s response when facing
a cyber attack. Expert cyber counsel craft operationally effective processes
that reect the latest insights from regulators and litigated cases with an
eye toward building a narrative of diligence while avoiding inadvertent
admissions of liability or creating ad hoc standards that are neither
reasonable nor attainable.