Law firm cybersecurity practices booming in era of the breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.post-gazette.com/business/legal/2015/02/17/Law-firm-cybersecurity-practices-booming-in-era-of-the-breach/stories/201502170003

The cybersecurity woes of companies like Target and Sony in 2014 have meant
a busy start to 2015 for law firm data-privacy and security practices.

“After all of the headline data breaches of 2014, you have boards of
directors and CEOs and general counsel asking the question, ‘Are we ready
for something like that?’ ” said Gregory Parks, co-chairman of Morgan,
Lewis & Bockius’ 85-attorney privacy and cybersecurity practice.

Law firms have been preparing for years to assist clients with data
security needs, with several touting practices that blend traditional legal
experience in the corporate and litigation arenas with technical acumen.

Mr. Parks said his firm has seen “a huge uptick” in calls from clients
looking to make sure they are protected against a breach and prepared to
respond if one does happen.

“I think this year, between Target at the front end and Sony at the back
end, 2014 changed awareness of these issues and made them issues that the
public thinks about now,” said Dechert partner Vernon Francis, a member of
the firm’s cybersecurity and data privacy group.

And when the general public is aware of an issue, it creates all the more
urgency for companies, which rely on the public’s business, to make sure
they are protecting the data they have.

Morgan Lewis has traditionally focused its privacy practice in the
financial services, retail, health care, energy and hospitality and travel
industries.

But Mr. Parks said that, unlike 10 years ago, “cybersecurity is absolutely
an issue for every company.”

Getting every company’s buy-in, however, can be a challenge.

“The real issue that general counsel confront … is often [having] a hard
time about getting C-suite buy-in before there is a problem,” said Scott
Vernick, head of Fox Rothschild’s privacy and data security practice.

While many firms have focused on putting data security policies in place
for clients, creating incident response plans is becoming a growing part of
the practice, Mr. Vernick said.

Creating such a plan requires teamwork between the company’s IT department
or an outside tech vendor and guidance from the law firm.

“There’s certainly been a growth in this [practice] area at every level,”
but many companies, especially in unregulated industries, are “not so much
focused on this,” said Fernando Pinguelo, chair of the cybersecurity and
data protection practice at Scarinci Hollenbeck’s Ocean, N.J., office.

“It’s unfortunate because there are simple steps that can be taken to line
up the right people,” Mr. Pinguelo added. “Businesses need to do more than
just talk about this. … They want to be able to pick up the phone and get a
human being who is able to orchestrate what their next steps are.”

Mr. Vernick said he will often start by showing a client a letter from a
multistate attorney-general investigation sent to a company and say, “Here
are the questions you will be asked when there is a breach. Are you ready
to answer the questions? If you are not ready, we’ll get you ready.”

Mr. Parks said there is a growing recognition that incident response plans
are no longer housed solely in the IT department, but are a collaborative
effort between IT, legal and a company’s public relations arm.

Scott Christie, a partner in Newark, N.J.-based McCarter & English’s
cybersecurity and data privacy practice, said, “The lawyer who’s
coordinating [cybersecurity work] needs to walk the walk and talk the talk.
… It’s vital for an attorney who professes to do cybersecurity work to have
not only the legal background, but the technical background.”

Duane Morris partner Sandra A. Jeskie, who heads up the firm’s information
technologies and telecommunications practice and is also a recent
past-president of the International Technology Law Association, said it is
important to have a lawyer who knows about data privacy issues involved in
contract negotiations. Contracts aren’t often explicit about who will pay
for what if a breach occurs and businesses assume the contract’s general
indemnification clause will cover it. But Ms. Jeskie said that
indemnification clause usually doesn’t kick in until there is litigation.

And as Mr. Vernick pointed out, the cost of a breach before litigation even
occurs has been estimated to be upwards of $200 per record compromised.

Mr. Parks said good data privacy is an asset for companies that garners
good will, particularly from the most sophisticated of business consumers.

“This really is the case where an ounce of prevention is worth many, many
pounds of cure,” he said.

But he warned companies not to ease up on their efforts once a plan is in
place.

“It is absolutely a constantly evolving thing. This is something that every
company needs to work on constantly, all the time. You can never say, ‘OK
we are done with cybersecurity,’ ” Mr. Parks said. “I liken it to the old
boardwalk game Whac-A-Mole. Everything pops up and you have to hit it.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!