At a Halloween party, a new acquaintance asked, “What do cybersecurity lawyers actually do?” It is a fair question. Without decades of commonly held knowledge surrounding the industry, a logical answer remains under construction. In short, a lawyer working in cybersecurity and privacy works across 5 domains:
1. Contracts & Compliance: This part is easy: cybersecurity attorneys draft and review contracts involving technology and federally-regulated industries. More specifically, cyber lawyers represent either Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), or the clients thereof. MSPs/MSSPs provide administrative and/or security services to businesses to build, monitor, and secure computer networks against cybercrime and operator malfeasance.
Until about 5 years ago, relationships between MSPs and MSSPs were mainly documented through purchase orders for equipment and software products; neither party was very unconcerned about liability, breaches, or data theft. Today, these are more complicated relationships. Examples of the issues often addressed therein are as follows:
Who is responsible if there is a data breach? Who (and which entity) should be notified in the event of a breach? Who is legally responsible for any resulting damages?
What, if any, remediation measures will be implemented by the MSP/MSSP following a cyber incident?
Was the MSP/MSSP only contracted to do an initial set-up and configuration of a network for administrative and security purposes? Is there a continuing obligation?
How are legal privileges preserved following a cyber incident?
What if the MSP/MSSP strongly recommends certain features that the client is unwilling to implement and pay for - who assumes the risk against the declined recommendation?
Does the client have a responsibility to vet the MSP/MSSPs abilities?
If the client is in a regulated industry (Healthcare, banking), does the MSP/MSSP understand the federal information security requirements imposed?
Should the business alert law enforcement? What will law enforcement do with the information received from the business following a reported incident?
Not including MSPs/MSSPs, who assesses due diligence on cybersecurity issues prior to a merger or acquisition? How are these issues written into an acquisition purchase agreement? (No one wants to purchase a dying horse).
2. Insurance: Failure to purchase and maintain cybersecurity insurance is…unacceptable. Cybersecurity insurance is cafeteria-style, in which an entity should pick and choose the necessary coverage. Variables on the type of coverage selected include the types of industry, the sensitivity of the data, types of precautions in place against cyber-events, and the state in which the business is located.
Expected to become the next National Flood Insurance Program given sky-rocketing costs, cyber insurance rates are strongly affected by the insured’s efforts to maintain security. Insurance companies often send out questionnaires to prospective insureds prior to issuing a quote, which if falsely executed can result in a denial of coverage. Cybersecurity attorneys assist clients determine necessary coverage and what benefits are available following an incident.
3. Policies/Procedures: Without negating the role played by criminals, cyber events are often preventable or manageable by implementing rules within the business itself. That said, are certain policies required for a particular industry? Is a business negligent in failing to implement appropriate protective policies (short answer: yes)? What can an employer force, lawfully, an employee to do? What are the employees’ privacy rights?
4. Litigation: After leaving “Big Law,” the desire to allow court deadlines to cancel vacations (again) or ruin Christmas Eve is non-existent. That said, many litigators neither understand the intricacies of cybersecurity nor can effectively converse with technology and security officers well enough to properly depose a witness or craft defense/prosecution theories on cybersecurity issues.
5. Legislation: Reviewing, drafting, and editing legislation on privacy and technology issues and the accompanying ramifications on individuals, businesses, and governmental entities.
A cybersecurity attorney answers the questions posed herein. A savvy business does not hire a basic custodial service to do environmental pollution remediation; using an oil and gas attorney to review cybersecurity matters is equally absurd. I also do some graffiti artwork and keep Lululemon in business.