Corporate

Are You Ready? Five Key Cybersecurity Battlefronts.

 “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families. . . . I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information.”

—President Obama’s 2015 State of the Union Address 

This clarion call from President Obama for urgent action to protect the U.S. government and citizens from cyber attacks was a dramatic public acknowledgement of something that American legal professionals have known for some time: cybersecurity is one of the greatest areas of risk exposure in the U.S. economy.

Independent data from Mandiant, a division of FireEye, suggests that 80 of the 100 biggest law firms in the U.S. have been hacked since 2011. And a recent survey of members of the International Legal Technology Association showed that, for the first time ever, security management is viewed as the biggest challenge facing legal IT departments.

To be sure, law firms are now throwing money and other resources at the problem. A recent report from Legaltech® News noted that 38 percent of law firms spent money on security or a security assessment in the past 12 months, up from 27 percent in 2014. And Chase Cost Management’s “What Price Peace?” survey found that The AmLaw 200® law firms spent roughly $6.9 million last year on information security, an average of approximately 2 percent of gross annual revenues.

Meanwhile, in spite of the acceleration in cyber attacks, law firms appear to be slow in treating this crisis as a risk management problem. The American Bar Association’s 2015 Legal Technology Survey confirmed that the number of data breaches at the nation’s largest law firms continues to rise, but curiously only 11 percent of the firms said their firm had purchased cyber liability insurance.

And yet, risk abounds everywhere for law firms when it comes to the fight for cybersecurity. Here are five key battlefronts where law firms need to be engaged:

1. Cybersecurity assessments

All law firms ought to be proactively conducting information security assessments in order to gauge their potential for exposure. This is especially important for lawyers who are providing counsel to clients in the financial services industry, where cybersecurity assessments are a critical element of risk management.

To that end, the Federal Financial Institutions Examination Council (FFIEC) has issued a voluntary cybersecurity assessment tool to help institutions assess their cybersecurity exposures and processes for addressing known risks. The assessment tool is a methodology for conducting a self-assessment of an institution’s cyber risk.

James S. Talbot and Cristina Vasile, attorneys at Skadden, Arps, Slate, Meagher & Flom LLP, discussed this new assessment tool in their article, ‘‘FFIEC Releases Voluntary Cybersecurity Assessment Tool’’ (Pratt’s Privacy & Cybersecurity Law Report, October 2015). As Talbot and Vasile explain, financial institutions are provided with a matrix and instructed to evaluate which description of the organization best matches the institution’s cybersecurity risk and preparedness across various categories. The tool consists of two parts—Inherent Risk Profile and Cybersecurity Maturity—and is ultimately designed to help senior management determine whether the institution’s level of cybersecurity preparedness is appropriate given its internal risk profile.

The assessment tool is currently voluntary, but federal government agencies have announced plans to incorporate the tool into their process for assessing the safety and soundness of financial institutions in the months to come. [Check out the Cybersecurity Guidance and Infrastructure for Financial Institutions]

2. Corporate transactions

With cyber attacks pervasive in commerce today, it is imperative for businesses engaging in corporate transactions to consider the cybersecurity and privacy risks of their investments prior to purchasing, merging with or financing a company.

Lawyers who are advising dealmakers can mitigate these risks and prevent incurring unanticipated costs and criticism from unforeseen information security and privacy issues that may emerge after the closing of a deal through thoughtful due diligence efforts. Aaron P. Simpson and Adam H. Solomon, attorneys at Hunton & Williams LLP, explain that the cybersecurity and privacy due diligence process should include the following key areas of risk (‘‘Dealmakers Ignore Cyber Risks at Their Own Peril,’’ Pratt’s Privacy & Cybersecurity Law Report, October 2015):

  • • Incident history
  • • Regulatory compliance
  • • Privacy representations
  • • Contractual liability

Lawyers who take appropriate precautionary measures to assess the privacy and cybersecurity implications of their clients’ investments will be better prepared to protect themselves from post-transactional risks.

3. Trade secrets

This battlefront is of special significance to law firms with intellectual property practices. Trade secrets include information (formulas, drawings, patterns, customer lists, techniques, etc.) that creates independent economic value from not being generally known to the public—and that is the subject of reasonable efforts to maintain secrecy. Trade secrets protection is a particularly crucial area of cyber risk management as hackers have proven to be extremely successful at stealing confidential information behind firewalls.

As IP lawyers know, unlike other forms of intellectual property—e.g., patents, copyrights and trademarks—no federal law exists that specifically authorizes a private cause of action for misappropriation of trade secrets. But recently, legislators in both houses of Congress introduced the Defend Trade Secrets Act (DTSA), an amendment to the Economic Espionage Act that would create a private, civil cause of action for trade secret misappropriation under federal law.

David R. Fertig, Christopher J. Cox, and John A. Stratford, attorneys at Weil, Gotshal & Manges LLP, explain: “This is not the first time that Congress has attempted to pass a federal trade secret misappropriation statute and the DTSA, like its predecessors, has already engendered significant debate. The growth of unprecedented cybersecurity risks, however, together with a groundswell of public and bipartisan political support for federal legislation, suggests that the DTSA may finally result in a federal trade secret misappropriation law.” (‘‘The Defend Trade Secrets Act of 2015: Attempting to Make a Federal Case Out of Trade Secret Theft—Part I,’’ Pratt’s Privacy & Cybersecurity Law Report, October 2015).

4. Data security practices

The risk of data breaches is high for any large organization—and not just in terms of the measurable metrics of business loss, but also from the less-tangible effects on a company’s brand, reputation and customer confidence. Moreover, it’s often a matter of time until the government watchdogs come knocking on the door.

The Federal Trade Commission (FTC) has launched a new initiative— “Start with Security” —that provides lawyers with specific guidance on data security practices. The initiative consolidates lessons learned through multiple FTC data security cases and is intended to help businesses avoid FTC scrutiny in the future.

As part of Start with Security, the FTC released a document of the same name that provides 10 lessons that companies should learn about data vulnerabilities and how to reduce the risks they pose. For each lesson, the FTC also shared related practical advice and specific examples of companies that were subject to FTC legal action based on similar vulnerabilities or actions.

In ‘‘FTC Launches ‘Start with Security’ Initiative: Releases Data Security Guidance and Announces Nationwide Conference Series,’’ James S. Talbot discusses the FTC initiative and walks through all 10 lessons (Pratt’s Privacy & Cybersecurity Law Report, October 2015). The FTC’s Start with Security initiative likely will be an important factor in future FTC actions, and businesses that do not heed the lessons will be at risk of FTC scrutiny.

5. Government regulators

Beyond the role of the FTC when a consumer data breach occurs, other types of cybersecurity incidents have given rise to an expanding slate of government agencies with roles to investigate, monitor and assist companies trying to defend themselves against cyber threats.

“The jurisdictional landscape surrounding cybersecurity is ever-evolving, and companies seeking to comply with cybersecurity requirements may feel overwhelmed by the spectre of the Department of Justice (DOJ), Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), the Secret Service, and various federal agencies such as the Securities and Exchange Commission and FINRA, monitoring compliance with myriad laws, regulations and guidance,” write Alan Charles Raul and Tasha D. Manoranjan, attorneys at Sidley Austin LLP (‘‘Cybersecurity and Government ‘Help’—Engaging with DOJ, DHS, FBI, Secret Service and Regulators,’’ Pratt’s Privacy & Cybersecurity Law Report, October 2015).

The good news for lawyers advising clients in their interactions with government regulators on cyber risk matters is that some government officials have suggested that companies that cooperate with law enforcement may receive favorable consideration from their regulators. Obviously, each situation is unique and lawyers will need to advise their clients based on the relevant circumstances, a company’s legal obligations and the client’s best interests.

But the resources available to individual companies that experience cyber incidents—or recognize the need to plan ahead for that inevitable contingency—may create opportunities for constructive partnerships with regulators, rather than adversarial interactions.

President Obama’s call to cyber arms in his State of the Union Address earlier this year may have sounded the national alarm, but lawyers were already far too aware of the significant risks to their firms and their clients in the cybersecurity war. And while many firms may have been late to deploy the level of funding and resources necessary to help fight this war, there are a few key battlefronts where they need to be engaged right now.

Find top data privacy, cyberlaw and security news and sources at the new Lexis Advance® Data Privacy & Cyberlaw Practice Page.

  Steven A. Meyerowitz, Esq., is the editor in chief of Pratt’s Privacy & Cybersecurity Law Report, a new publication from LexisNexis. Mr. Meyerowitz is a graduate of Harvard Law School, practiced law as an attorney for a prominent Wall Street law firm, and founded Meyerowitz Communications Inc., a law firm marketing communications consulting company that works with some of the largest and most successful law firms in the U.S. Mr. Meyerowitz has been an outside editor in chief for a number of law and business publications for many years. He can be reached at smeyerowitz@meyerowitzcommunications.com.

Pratt’s Privacy & Cybersecurity Law Report addresses the need for timely information on privacy and cybersecurity law during an era in which data breaches occur at businesses on a daily basis. The journal examines and analyzes current developments in privacy and cybersecurity law, including statutory and regulatory developments, active litigation and case law, data breach prevention and response, and various industry developments. The journal, which has a board of editors comprising partners and senior lawyers from top U.S. and international law firms, is published nine times a year by LexisNexis.

For more information, download a complimentary Pratt's Privacy & Cybersecurity Law Report, First Edition.