Amazingly, in spite of the ever-increasing need for such, there are very few law firms right now that specialize in cybersecurity. This doesn’t deny that many law firms are more than willing to take on cybersecurity cases when the need arises; nor does it deny that some firms still consider the cybersecurity “ topic” a strictly IT area of expertise.
Regardless of the reasons why, lawyers need to get better immersed in what is a huge problem, not only in the US but across the globe. Here are 5 reasons why we need more law firms to specialize in cybersecurity issues and cases.
More and more laws are being passed that deal with the ever-worsening and continuously-more-complicated topic of cybersecurity. Some of these laws include HIPAA, ECPA, CAN-SPAM, FCRA, Sarbanes-Oxley, etc.
Many people fail to understand or appreciate the obligations that go with having access to the latest technologies. These technologies include cloud computing, Smartphones, Wi-Fi, remote access, and USB drives. As for the “obligations” in question, how about starting with the right to privacy and the duty to provide confidentiality.
The threat to data stored in or transmitted by electronic mobile devices is at an all-time high. It used to be hackers that one worried about but other players in the game can include disgruntled employees, careless temps and people that may come to your business posing as something they are not (e.g., soda machine maintenance guys, delivery guys, consultants, etc.). The point is that the list of people that could potentially threaten the data kept by all organizations is rather long and well-diversified—in other words, this matter no longer involves just computer hackers.
This is only one of the many huge problems that are arising and getting more complicated by the minute that can end up in the lap of attorneys. To deal with that, the government has already passed several laws but you can be sure that more laws are in the planning stage or already waiting to be passed.
One very legitimate question that we may ask, then, is how well prepared are law firms in the US (and other developed countries) to deal with the many legal problems in regards to cybersecurity that will have to be adequately addressed in the near future?
It’s true that many law firms are scrambling to prepare for the onslaught but is what they’re doing (sending partners and associates to seminars and bringing in consultant periodically, etc.) enough?
Clearly, what is needed here is a more aggressive approach—i.e., a comprehensive plan to get more firms ready to not just handle these cases, if necessary, but to specialize in the topic. Specialization doesn’t come cheap or easy though, which is why this is something which may require participation from all stakeholders (the government, the ABA, big law firms, corporate world reps, IT consultants, etc.). Failure to develop this cooperation, and the financial and technical support that will be needed, may turn out to be disastrous, to put it mildly.
To put it in more practical terms, we may end up seeing the industry being overwhelmed or inadequately (if not incompetently) tackle the upcoming legal challenges coming in the form of what we might call “legal tsunamis.”
The incidence and seriousness of privacy/security breaches are worsening with each passing day.
Almost every year, a major cybersecurity breach is announced in the news. Actually, security breaches are occurring just about every day—but you will probably not hear of it in the news, unless a major organization or agency is involved, if massive amounts of data were compromised and/or if the breach was particularly troubling (such as when cyber-terrorist have broken into IRS databases).
Some of the major breaches to date include:
- JTX in 2006
- Heartland Payment Systems in 2008
- Target Stores in 2013
- Yahoo in 2013-2014
- EBay in 2014
- JP Morgan in 2014
- Adult Friend Finder in 2016
- Equifax in 2017
Of course, each of these breaches has led to legal action in one form or another. The good news is that these incidents can provide helpful information on how law firms can prepare for the next major breach. The question is, are legal firms taking advantage of these learning opportunities?
This represents a whole new potentially profitable area of law that simply can’t be left untapped for too long.
One of the many areas of law within the cybersecurity scope that is sure to provide revenue for legal firms savvy enough to capitalize on these opportunities are cases involving the Committee on Foreign Investments in the United States (CFIUS) which monitors investments by foreign bodies in American businesses providing services and products relating to national security.
There are many cybersecurity questions that are arising as a result of these investments and complicated relationships. Any cases arising out of these relationships may not only involve cyber security but international law.
Here are some other areas where there is money to be made by law firms prepared for the legal challenges in question:
- Companies facing class action lawsuits because of hacked customer information
- Advising global insurance companies on cybersecurity policies and data privacy concerns, including how to respond to breaches, from a legal perspective
- Advising insurance brokers/consultants on their privacy policies and data security incident response plans
- Helping Internet advertising and data-mining companies develop incidence response plans and cybersecurity policies
- Helping defense contractors paddle their way into and around Department of Defense service provider and supply chain cybersecurity requirements
- Assisting healthcare providers in meeting ever-more stringent HIPAA and other healthcare laws privacy and patient information securing requirement and restrictions
Cybersecurity is no longer strictly an IT issue—more lawyers need to start immersing themselves in the subject, even if they have to start requiring lawyers specializing in this field to also take a certain amount of college course credits in computer science.
Although the public may not be aware of this, lawyers and law firms are bound by a wide range of government policies and laws designed to protect the public’s privacy and confidentiality. Attorney/client privilege is only one of the many rules in place which places serious burdens on attorneys which they can’t take lightly.
Other policies and laws in place that place lawyers on notice and which may carry penalties for not complying with include:
- The duty of competence (the ABA’s Model Rule 1.1) requires attorneys to be familiar with technologies in certain cases.
- Model Rule 1.6 helps to define the duty of confidentiality more clearly . . . basically, a lawyer cannot reveal (or allow the information to leak) private information without informed consent.
- The Ethics 2000 Revisions to the Model Rules (which among other things stipulated that lawyers must act competently to safeguard information. . . simply delegating such to IT personnel simply won’t cut it
- Model Rule 5.1 (refers to responsibilities of supervisory/partner lawyers and non-lawyer assistants)
- Model Rule 1.4 (Communications), requires appropriate use of technology in communicating with clients
Of course, individual firms can also institute their own policies that can also further restrict what attorneys may or may not do, including with the use of IT technology.
Law firms can either lead the way or follow the crowd on the issue of cybersecurity—it would be foolish if the legal industry either by default or on purpose chooses the latter.
One of the greatest challenges for law firms today in properly establishing cybersecurity case tackling programs is making a decision as to what measures are necessary and how to best implement them. But determining what are reasonable and competent measures can be rather difficult, especially in regards to an area of law that is developing and growing even as we “speak.”
Laws and policies can provide guidelines but, ultimately, law firms are going to have to decide whether they will simply follow other industries (to see what happens), keep a close eye on trends, let the government tell them what they need to do, or, what would be more proactive, start leading the way in terms of what new laws we need, how the present laws can be amended and how major cases will be handled in general.
The issue of cybersecurity is too serious, prevalent and far-reaching a problem to not approach head on and with all engines running—metaphorically speaking. There is no question that cybersecurity is changing the playing field for the legal industry in many ways.
The sooner that lawyers start specializing in this area, the better the industry will be prepared for many of these inevitable, far-reaching changes
1 Bruce Schneier, Secrets and Lies – Digital Security in a Networked World (John Wiley & Sons, Inc. 2000) at p. xii.