Corporate Counsel and Cybersecurity and Data Protection

Even the best security program will not prevent all cybersecurity incidents. It is generally well known in the corporate and public counsel arena that preparation in advance and an effective preventative program are essential to protect against cyber threats.  Legal risk is a crucial consideration considering that potential plaintiffs may sue using many theories of liability spanning a range of federal and state statutory and common law claims, e.g., reach of contract, negligence, fraud, violation of consumer protection statutes, violation of the Stored Communications Act, breach of fiduciary duty, invasion of privacy, and breach of data protection laws, among others.  

The list of items to cover for corporate counsel in this area is continuing to grow.  According to the Association of Corporate Counsel’s 2020 annual survey, “90% of chief legal officers expect[ed] data privacy issues to accelerate” in the year 2021.  They were not mistaken, especially since human error accounts for one of the major causes of a data breach. 

The duties for corporate counsel facing growing privacy and cybersecurity to-do lists include privacy policy review for compliance with legal standards, vendor contract review, merger and acquisition transactions, risk transfer (contracts and insurance), incident response plan – implemented and tested, protocols regarding vendor breach, and cybersecurity assessments, among others.  Below are a few other matters that corporate counsel may want to consider when executing their role in cybersecurity matters.

Cyber Incident Reporting for Critical Infrastructure Act of 2022

Corporate counsel may want to pay close attention to the newly signed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed by President Biden on March 15, 2022.  The Act creates two critical reporting obligations on owners and operators of critical infrastructure: (1) an obligation to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security within 72 hours; and (2) an obligation to report ransomware payments within 24 hours. The new obligations do not take effect until CISA promulgates implementing regulations, but corporate counsel should use this time to educate their executives and board on this new law and obligations. Some of the business entities that are considered “critical infrastructure” under the Act include: commercial facilities, communications, dams, emergency services, energy, financial services, food, and agriculture services, healthcare and public health facilities, information technology, transportation systems, water and wastewater systems, and chemical facilities.  

Cybersecurity and Privacy Policies

Your company should already be managing cybersecurity and data risks by developing and implementing policies and procedures to manage privacy, security, and compliance issues.  Compliance with legal standards is an ongoing project because, as demonstrated by CIRCIA, the law is a moving target in this area.  Ensure that your role as corporate counsel is clearly defined in your company’s policies and procedures applicable to data protection and in your company’s security compliance plan.  

Vendors

The security of your vendors is just as important as the security of your organization. Conduct a thorough vendor contract review to ensure that your vendors are as vigilant as your company in data security. Implementing a system to protect your information when transferred to the vendor is also advisable. One of the most crucial things is to require in a contract that a third party notify you in the event of a breach. 

Ensure your board is well-informed

The chief information security officer is heavily involved in mitigating cybersecurity risks and can assist in educating your board. Include your chief information security officer in briefs with your board members. 

Hire Cyber Counsel to assist with a breach before the breach occurs

It’s a good idea to hire cyber counsel now. Consider the fact that your employees do not have to act maliciously to commit a data breach.  Human error is a major cause of data breaches. If your budget is low, sign a retainer contract so that you are not searching for competent cyber counsel after a breach occurs. Ideally, work with cyber counsel on preventive measures and protocols so that they are at the ready as soon as a breach occurs. Waiting to hire cyber counsel after a breach will put your company behind the curve in correcting the issue and reporting requirements.

Conduct Cybersecurity Assessments and Protect your Client’s Privilege 

Cyber counsel can also assist in cybersecurity assessments. Obviously, the company’s IT experts are involved in the day-to-day and long-term cyber preventative strategy.  However, it is important to ensure that your IT department does not hire outside experts or consultants without going through the general counsel’s office.  If the IT department hires a consultant, who then provides a written report to IT which identifies major weaknesses in your company’s cybersecurity and privacy firewalls, future plaintiffs and their lawyers may seek production of the report that not only outlines the weaknesses in the system but will highlight the fact that the company was aware of the weaknesses and may not have yet taken the steps to correct the issues. Ensure that your company has a formal protocol in place to ensure that the general counsel’s office is involved in any and all consultations with outside experts regarding your cybersecurity program so that you can take steps to preserve privileges. 

There are a few key cases that corporate counsel may want to study regarding sharing cybersecurity and data protection information with third parties, including cybersecurity experts, without waiving privileges, including  Pearlstein v. Blackberry LTD., No. 13 Civ. 7060 (CM) (S.D. N.Y. Jan. 26, 2021) and Universal Standard Inc. v. Target Corp., 331 F.R.D. 80 (S.D.N.Y. 2019).  In re: Target Corp. Customer Data Security Breach Litigation, No. 0:14-MD-02522 (D. Minn. Oct 23, 2015), specifically discussed preserving privileges in a data breach context after hiring outside experts.  Target suspected a security breach, retained outside counsel, and formed a task force at the request of their in-house and outside counsel to educate the lawyers of the company for legal advice and to prepare for litigation. Target successfully demonstrated that the task force was formed not for purposes of remediation of the data breach but to inform Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation that was already pending.  The takeaway from these cases is clearly to consider using external litigation counsel for data security breach investigations, state in the retainer agreement that legal advice is sought to assist the company’s lawyers in providing legal advice to the company, and assert the privilege.