BreachExchange mailing list archives
Law firm cybersecurity practices booming in era of the breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 18 Feb 2015 05:29:15 -0700
http://www.post-gazette.com/business/legal/2015/02/17/Law-firm-cybersecurity-practices-booming-in-era-of-the-breach/stories/201502170003 The cybersecurity woes of companies like Target and Sony in 2014 have meant a busy start to 2015 for law firm data-privacy and security practices. “After all of the headline data breaches of 2014, you have boards of directors and CEOs and general counsel asking the question, ‘Are we ready for something like that?’ ” said Gregory Parks, co-chairman of Morgan, Lewis & Bockius’ 85-attorney privacy and cybersecurity practice. Law firms have been preparing for years to assist clients with data security needs, with several touting practices that blend traditional legal experience in the corporate and litigation arenas with technical acumen. Mr. Parks said his firm has seen “a huge uptick” in calls from clients looking to make sure they are protected against a breach and prepared to respond if one does happen. “I think this year, between Target at the front end and Sony at the back end, 2014 changed awareness of these issues and made them issues that the public thinks about now,” said Dechert partner Vernon Francis, a member of the firm’s cybersecurity and data privacy group. And when the general public is aware of an issue, it creates all the more urgency for companies, which rely on the public’s business, to make sure they are protecting the data they have. Morgan Lewis has traditionally focused its privacy practice in the financial services, retail, health care, energy and hospitality and travel industries. But Mr. Parks said that, unlike 10 years ago, “cybersecurity is absolutely an issue for every company.” Getting every company’s buy-in, however, can be a challenge. “The real issue that general counsel confront … is often [having] a hard time about getting C-suite buy-in before there is a problem,” said Scott Vernick, head of Fox Rothschild’s privacy and data security practice. While many firms have focused on putting data security policies in place for clients, creating incident response plans is becoming a growing part of the practice, Mr. Vernick said. Creating such a plan requires teamwork between the company’s IT department or an outside tech vendor and guidance from the law firm. “There’s certainly been a growth in this [practice] area at every level,” but many companies, especially in unregulated industries, are “not so much focused on this,” said Fernando Pinguelo, chair of the cybersecurity and data protection practice at Scarinci Hollenbeck’s Ocean, N.J., office. “It’s unfortunate because there are simple steps that can be taken to line up the right people,” Mr. Pinguelo added. “Businesses need to do more than just talk about this. … They want to be able to pick up the phone and get a human being who is able to orchestrate what their next steps are.” Mr. Vernick said he will often start by showing a client a letter from a multistate attorney-general investigation sent to a company and say, “Here are the questions you will be asked when there is a breach. Are you ready to answer the questions? If you are not ready, we’ll get you ready.” Mr. Parks said there is a growing recognition that incident response plans are no longer housed solely in the IT department, but are a collaborative effort between IT, legal and a company’s public relations arm. Scott Christie, a partner in Newark, N.J.-based McCarter & English’s cybersecurity and data privacy practice, said, “The lawyer who’s coordinating [cybersecurity work] needs to walk the walk and talk the talk. … It’s vital for an attorney who professes to do cybersecurity work to have not only the legal background, but the technical background.” Duane Morris partner Sandra A. Jeskie, who heads up the firm’s information technologies and telecommunications practice and is also a recent past-president of the International Technology Law Association, said it is important to have a lawyer who knows about data privacy issues involved in contract negotiations. Contracts aren’t often explicit about who will pay for what if a breach occurs and businesses assume the contract’s general indemnification clause will cover it. But Ms. Jeskie said that indemnification clause usually doesn’t kick in until there is litigation. And as Mr. Vernick pointed out, the cost of a breach before litigation even occurs has been estimated to be upwards of $200 per record compromised. Mr. Parks said good data privacy is an asset for companies that garners good will, particularly from the most sophisticated of business consumers. “This really is the case where an ounce of prevention is worth many, many pounds of cure,” he said. But he warned companies not to ease up on their efforts once a plan is in place. “It is absolutely a constantly evolving thing. This is something that every company needs to work on constantly, all the time. You can never say, ‘OK we are done with cybersecurity,’ ” Mr. Parks said. “I liken it to the old boardwalk game Whac-A-Mole. Everything pops up and you have to hit it.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Law firm cybersecurity practices booming in era of the breach Audrey McNeil (Feb 24)