Many organizations recognize that SecurityScorecard is a highly effective weapon in the cybersecurity toolkit for a Chief Information Security Officer (CISO), but the link to the legal and compliance departments is often less well understood. With the proliferation of state, federal, and international regulations involving cybersecurity and data privacy, SecurityScorecard also enables companies to align their policies and procedures to maintain a robust cybersecurity compliance stance. In addition, the cybersecurity-related risks of civil litigation, regulatory investigations, and congressional inquiries have expanded dramatically.
How cybersecurity creates legal risk
Cybersecurity is no longer simply an IT department’s problem and, in fact, cannot be the responsibility of any single department. Regulators have repeatedly stressed the importance of an enterprise-wide approach to creating an effective cybersecurity program as a matter of corporate governance. As such, a corporation’s senior management needs to provide oversight and support the program with sufficient resources and funding.
Such programs need coordination and communication across multiple internal departments. When establishing a cybersecurity program, organizations must include relevant legal and compliance professionals as early as possible in the risk assessment process. This team-based model allows the various stakeholders to holistically leverage their expertise, which will make the cybersecurity program that much more robust.
Moreover, disparate stakeholders often view cybersecurity risks through very different lenses and speak about those risks in different ways. Without a programmatic and governance-based approach that includes a wide variety of internal stakeholders, a cybersecurity program may end up with significant gaps in understanding risks and/or lack the appropriate measures to mitigate them, which increases the severity of cyber-related harm that an organization may suffer.
What value do legal and compliance professionals add to a cybersecurity program?
As companies expand their cyber-related preparations, legal and compliance professionals can add value in many different ways.
A company's in-house and/or outside counsel’s responsibilities should include a variety of legal and compliance actions to ensure the program’s robustness. For example, legal counsel’s responsibilities may include, but are not limited to:
- reviewing public disclosures (e.g., SEC filings) regarding prior incidents and material risks
- pressure testing the design (i.e., review the incident response plan),
- engaging in the implementation of a company’s cyber program and key controls,
- assisting with employee training and tabletop exercises (to practice the incident response plan),
- determining the extent of the company’s cybersecurity insurance (if any),
- developing contacts in law enforcement,
- coordinating with internal government relations regarding proposed legislation,
- considering an informal policy on cyber ransom payments
Meanwhile, contract attorneys for a corporation can also negotiate key data privacy and security provisions in vendor contracts regarding the access, use, storage, and sharing of data. In fact, a number of companies are requiring their vendors to maintain a minimum acceptable security score during the term of the contract based on a company’s use of SecurityScorecard’s vendor risk monitoring. A company’s contracts may also create obligations to notify customers of a cybersecurity event or to maintain certain cybersecurity measures.
In addition, effective cybersecurity and privacy lawyers can help craft a narrative of how a corporation establishes a defensible cyber program in response to civil lawsuits, such as those that will be permitted under the forthcoming California Consumer Privacy Act (“CCPA”) which will become effective on January 1, 2020. The CCPA imposes a duty on companies to “implement and maintain reasonable security procedures and practices.” While the new law does not provide detail or guidance for how courts should unpack what is “reasonable,” organizations should assume that, at a minimum, continuous monitoring over their key security controls will be required. SecurityScorecard will be helpful to show that the company took a cyber-focused approach toward the due diligence of both itself and its vendors.
How can an effective cybersecurity and data privacy lawyer enable a robust cyber program?
Unfortunately, the days of “dabbling” in cybersecurity and data privacy are over. Given the increasing risks involving cybersecurity and data privacy, companies simply cannot afford to have in-house counsel working on these issues off the side of their desks.
Even the American Bar Association (ABA) has begun to recognize cybersecurity’s importance. Although released in 2017, the Vendor Contracting Project: Cybersecurity Checklist remains a fundamental cybersecurity resource on the ABA’s website. On the list of required actions, the ABA notes the importance of:
- Risk Assessments
- Vendor Due Diligence
- Contract Provisions
Embedded within these three key segments are a variety of suggestions including security program management and business continuity/resilience programs.
Corporate counsel needs to be able to identify risks and understand mitigation strategies both as part of the company’s cybersecurity program and its vendor risk management program.
The daily changes in both technology and the law require that attorneys are specializing in these areas so they can provide meaningful assistance and practical solutions. Ideally, at least one in-house counsel should be exclusively focused on cybersecurity and data privacy and closely partnering with their CISO.
When should companies engage outside counsel with cybersecurity expertise?
Again, it is very dangerous for companies to wait until a material breach has occurred to involve external counsel.
Any major corporation should already have retained cybersecurity counsel to advise them globally. Increasingly the extraterritorial nature of data security and privacy laws focuses less on an organization’s geographic location but on the data owner’s location. Reviewing the General Data Protection Regulation (GDPR), CCPA, and New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act shows a trend toward holding companies responsible for data security and privacy based on the data owner’s residence, not the organization’s place of incorporation or offices.
Among other things, counsel can advise on cross-border data concerns to address compliance with data being shared or transferred outside of the United States. Some concerns that a cybersecurity-focused outside counsel can help with include, but are not limited to:
- What data privacy laws are impacted?
- What is the definition of a data breach?
- Can the company lawfully send and receive data to a particular foreign country?
- What is the company’s responsibility to data owners?
- What are the cybersecurity requirements for collecting, processing, or transmitting data?
- What are the potential private causes of action that can be taken against the organization in the event of a data breach?
Outside counsel can answer these and many other questions to better advise in-house counsel and the CISO.
While too many outside counsel claim to have cybersecurity and data privacy expertise, few have truly risen to the top of this new cottage industry. New York’s Avi Gesser, a Davis Polk partner and publisher of an excellent cyber blog (for which the author is particularly grateful for research support to this article), and Washington, DC-based Luke Dembosky from Debevoise and a former cybercrimes prosecutor, are both outstanding practitioners in this space.
What value does outside cybersecurity-focused counsel provide when a data breach occurs?
Increasingly, organizations recognize that data breaches are no longer a matter of “if” but of “when.” According to the 2019 Symantec Internet Security Threat Report:
- 1 in 10: URLs are malicious
- 56%: increase in web attacks
- 12%: increase in enterprise ransomware
- 78%: increase in supply chain attacks
In short, malicious actors continue to evolve their threat methodologies faster than organizations can secure their ecosystems.
In the event of a breach, external counsel will be invaluable. At a minimum, counsel provides an independent perspective to both senior management and its board of directors.
Specifically, counsel can help
- Ensure preservation of documents and information,
- Conduct interviews of relevant personnel
- Advise on insider trading-related risks
- Coordinate outreach with law enforcement and regulators
- Advise the company on its legal and regulatory obligations
In particular, counsel should advise on whether a particular cyber event triggers a legal requirement to notify one or more of the company’s customers, regulators, insurers, auditors, vendors, or even the market itself. All 50 states have breach notification laws, including standards at the federal and international levels. However, the legal framework surrounding notifications is a mess because there are different requirements as to what triggers a notification, what the notification must say, and the deadlines involved.
However, if counsel is not brought in until after the breach, it will be very expensive for a company given the amount of work that counsel will need to handle in a very accelerated time frame. Waiting to hire counsel until an actual incident occurs leaves the company vulnerable to legal liability and reputational harm. On the other hand, bringing in counsel early will mitigate that risk, and allow time for having a greater familiarity with a company’s network infrastructure and forming sound working relationships with the CISO and the legal/compliance teams.
How SecurityScorecard enables corporate counsel
With SecurityScorecard’s continuous monitoring capabilities and security ratings system that uses an A-F scale, our platform enables corporate counsel and outside counsel to help protect against cyber attacks. Additionally, the long-tail data we collect provides documentation that can assist legal counsel when looking for evidence that proves control effectiveness.
Our platform enables organizations to engage with internal stakeholders across the enterprise, providing a common language for discussing risk and security posture. Using our detailed reporting capabilities, organizations can gain insight into their own risks as well as potential vendor risks. For example, organizations with a D or F rating are five times more likely to experience a data breach. Legal counsel can use these ratings to proactively address risks and mitigate legal or compliance-based liabilities.
Moreover, in-house counsel should formulate contractual language aligning with our ten groups of factors and use the risk ratings as key performance indicators for vendor contracts. By using our factors as part of vendor contracts, corporate or outside counsel can more effectively meet the ABA vendor contract requirements.
Finally, organizations using our Atlas platform can better manage the complex compliance requirements necessary for proving a robust cybersecurity program. Our machine-learning capabilities align vendor questionnaire responses to the publicly available information gathered by our platform to provide immediate verification of controls, alerting organizations to potential risks arising from vendor control weaknesses.