Tech pundits began in 2015 asking whether small and large businesses needed the counsel of a law firm well-versed in cybersecurity. “Developing plans to protect digital information and networks while complying with state and federal regulations can be a legal challenge for any corporation,” mentions Kacy Zurkus in this August 2015 CSO article. “Is relying on in-house counsel enough, or should companies have a cybersecurity attorney on retainer?”
Fast forward to 2018, and even more tech pundits suggest that retaining legal counsel familiar with cybersecurity is vital for a company’s well-being. Darius Davenport, in his Inside Business Column article Make sure your cybersecurity team includes a breach lawyer, writes, “Your IT department can’t do it all. Attorneys must be in the mix.”
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
Here are specific steps businesses can take in preparation for a cybersecurity attack.
1: Create a cybersecurity framework
Davenport is no stranger to cybersecurity litigation—he leads the cybersecurity and data-privacy group at Crenshaw, Ware & Martin in Norfolk, VA. Davenport believes the first step those responsible for a company’s digital safety should take is to create a security framework.
Doing so, suggests Davenport, will improve the company’s ability to prevent, detect, and, if necessary, respond to a cyberattack. “A useful framework is NIST Special Publication 800-171, designed with private businesses in mind,” mentions Davenport. “It is relatively easy to understand and provides a sound road map for a robust cybersecurity infrastructure. It is also the required framework for defense contractors.”
Anthony Cammarata Jr., in his Cherokee Tribune & Ledger News From the Bench and Bar article, offers the following example of how a cybersecurity framework can make a difference:
“We all remember participating in fire and weather emergency drills in grade school. This same model applies to businesses wanting to prevent cyberattacks (Phishing for example) …. Periodically sending phishing emails to your employees is a simple measure to investigate if any are susceptible to clicking a fake link, opening a potentially dangerous attachment, or unwittingly providing sensitive information.”
2: Obtain legal counsel that specializes in cybersecurity
The next step according to Davenport is to obtain legal services—hire an attorney or retain a law firm that specializes in cybersecurity—to create an incident-response plan that encompasses all foreseeable data-security issues and details how to respond to them. The plan should include the following provisions:
- Assign key employee roles.
- Establish lines of internal and external communications.
- Identify guidelines on how to start and carry out incident investigations. Davenport suggests there is potentially an added benefit of accepting legal advice: The investigation is likely to be protected by attorney-client privilege.
- Mandate when the plan should be reviewed and updated (Davenport suggests annually).
- Provide cybersecurity policies that give employees notice and govern how they access company networks.
SEE: Incident response policy (Tech Pro Research)
3: Get cybersecurity insurance
Most of us like to complain about insurance, but when something goes wrong there’s that feeling of relief knowing the company is covered. Both Davenport and Cammarata state that cybersecurity insurance is becoming a requirement, especially with the number of insider (accidental or planned) security issues.
“According to IBM Security and the Ponemon Institute, unsuspecting employees cause roughly 25 percent of data incidents by inadvertently clicking on a malicious email or losing a portable device filled with sensitive information,” writes Davenport. “This is where cybersecurity insurance kicks in.”
Davenport then ticks off contingencies that may be overlooked when obtaining cybersecurity insurance:
- Ransomware payment in cryptocurrencies.
- Retroactive date exclusions. Davenport explains the need for date exclusions, saying, “If a hacker gets access to your network, the resulting data incident could be considered an event that occurred prior to the policy period and would therefore be excluded.”
- Losses and expenses incurred as a result of business interruption due to a breach at a third-party vendor upon which your company depends.
- Employees, volunteers, interns, and contractors performing company-related work.
Cammarata, in his From the Bench and Bar article, voices concern that company management might think general liability insurance is enough. “Most general liability insurance policies will not cover losses or legal fees associated with data breaches,” advises Cammarata. “Policies should cover general costs incurred by your company after a breach, including public-relations campaigns and business-interruption expenses, as well as legal fees from potential lawsuits if sensitive customer information is compromised.”
Their final thoughts
Davenport and Cammarata, being attorneys, obviously have a vested interest in this topic; that said, it still comes down to what a company can afford “if and when” a cybersecurity incident occurs. Both attorneys strongly suggest taking the time to research and/or get professional advice on the company’s exposure to cyberattacks and data breaches.