Steven Chabinsky, SVP Legal Affairs, General Counsel & Chief Risk Officer, CrowdStrike
If you’re providing information technology services to law firms or to in-house legal teams, you may want to consider the lawyer’s increasing role in cyber security enterprise risk management. It may come as a surprise to you, and perhaps even be counter-intuitive, but lawyers can help the CIO accomplish his or her goals of having the C-Suite establish a corporate risk profile, understand and accept residual risk, and appropriately fund the security controls that should accompany most IT deployments.
If you were to ask whether lawyers want to help in this regard, I would give you the classic lawyer answer: it depends. I don’t know of many attorneys who have free time on their hands, and most would just as soon not have yet another major issue on their plates. On top of that, many attorneys feel they lack the technical expertise to weigh in on technology and data security issues. Still, attorney involvement is becoming unavoidable, and many lawyers already are standing front and center in this area. Over the last few years, lawyers (whether corporate counsel or outside counsel) increasingly are expected to understand the implications of cyber security when providing advice relating to a long list of matters that include—federal, state and international privacy laws, regulations, and emerging standards, contract negotiation and compliance, contract indemnity limits and insurance coverage for security incidents, public/private security partnerships, employee monitoring, BYOD considerations, vendor and outsourcing requirements, M&A due diligence, incident response (to include working with outside counsel, forensic firms, law enforcement, and regulators), network breach reporting obligations, data breach litigation, and Congressional testimony.
“I believe IT and network security practitioners can benefit equally from their legal department’s help”
You also may find that, from a corporate governance perspective, many companies give greater weight to the advice of lawyers based on the view that they are neutral brokers. As a result, the lawyer, as a trusted and unbiased advisor with possible insight into all aspects of the business, may be uniquely qualified to help the CIO and the CISO navigate corporate (and Board) risk calculations that must conform customer deliverables and workforce expectations with informed security, shifting legal requirements, and constrained resources.
An additional reason that lawyers are becoming more educated and active when it comes to cyber security involves their professional ethics obligations. Criminal hackers and foreign intelligence operatives are actively, and successfully, targeting and stealing sensitive information from law firm networks and from in-house counsel precisely because lawyers have access to a broad range of privileged, highly sensitive information. This fact puts into play three significant attorney obligations: the duties of confidentiality, supervision, and competence. With respect to confidentiality, attorneys generally are prohibited from revealing information relating to the representation of a client unless the client consents. That obligation extends beyond intentional disclosures. Lawyers have long known, for example, that they are not allowed to discuss client confidences carelessly in public, or to leave privileged documents unattended or improperly secured. Naturally enough, the duty of confidentiality applies equally when communicating by phone, text, or email, or when storing information on a laptop, thumb drive, or in the cloud. Lawyers also must properly supervise others in the firm or the company with access to attorney-client privileged information.
Perhaps less obvious than the duties of confidentiality and supervision is that a cyber security requirement extends directly to an attorney’s ethical obligation of competence. Attorneys might think that this duty only requires that they be competent to provide legal advice in their particular area of practice (take tax law for example). Not so. Competence also extends to data security. From the CIO’s perspective, you will be interested to know that the group that regulates attorneys in at least one State determined that “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”In response to this mandate, a number of attorneys have found it helpful to turn to the plainly stated NIST framework as their source of reference when engaging with experts to assess and mitigate their risks.
In short, attorneys will increasingly rely upon the CIO, CTO, and CISO when fulfilling their expanding risk management roles within organizations and to help them comply with their professional ethical obligations. I propose that IT and network security practitioners can benefit equally from their legal department’s help. Although working with lawyers may lead to unwanted questions and oversight, the result is likely to be shared responsibility over difficult risk decisions and an influential advocate in your corner.