The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: General Counsel

  • From Vol. 3 No.22 (Nov. 8, 2017)

    Managing Data Privacy Across Multiple Jurisdictions

    Long gone are the days when acceptable privacy programs consist of a policy in an HR handbook. Building an effective and comprehensive privacy program that addresses wide-ranging data sets and dynamic regulations is a challenge for large and small organizations. To provide guidance on what has worked for them, Ropes & Gray teamed up with privacy professionals from Wyndham Worldwide and Facebook on a recent panel at the Privacy + Security Forum. The panelists offered advice on complying with the patchwork of U.S. laws and the growing number of global regulations and offered behind-the-scenes insight on how Wyndham built its global privacy program as well as how Facebook approaches privacy across its products. See also “Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    A Discussion With eHarmony’s GC About the Role of In-House Counsel in Cybersecurity

    The general counsel plays a critical role in a company’s cybersecurity, especially in high-profile events, as the blame the Yahoo GC shouldered in the 2014 breach revealed. The GC must have the necessary authority to ensure the company develops appropriate proactive measures and must be able to take a leadership position after an event has occurred. Ronald Sarian, vice president and general counsel of eHarmony, spoke with The Cybersecurity Law Report about how the GC can obtain and exercise his or her authority, and his own efforts to develop incident response plans, training, communication and escalation protocols. He also discussed how he built a strong relationship with the company’s technical teams, what he learned from the 2012 cyber attack on eHarmony and what in-house counsel can learn from the DLA Piper breach. See also “Strategies for In-House Counsel Responsible for Privacy and Data Security” (Feb. 22, 2017) and “Increasing Role of Counsel Among Operational Shifts Highlighted by Cyber Risk Management Survey” (Nov. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part Two of Two)

    Even a small cyber incident can erupt into a major high-profile event depending on whether and how it becomes public. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers. In this second installment of our two-part article series on cyber crisis communication plans, experts offer advice on strategies for handling external communications to the media, regulators and other stakeholders, including specific questions companies might face; how to control and coordinate with a third-party vendor; and how to overcome common pitfalls and challenges. Part one covered key stakeholders and their roles, crucial playbook components and the benefits of planning ahead, and how to approach internal communications during a cyber crisis event. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Building an Enterprise-Wide Cyber Risk Management Program: Perspectives From the C-Suite (Part Two of Two)

    Even an organization with a highly mature cybersecurity risk-management program needs to keep pace with the changing legal and business landscape, and staying ahead of this challenge starts at the top. Just when the dust had started to settle from the widespread WannaCry attack, the ransomware attack dubbed Petya spread internationally, impacting government and commercial entities, including law firms. Using a hypothetical scenario based on starting a new business line involving financial services, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, recently offered advice on how to develop an information security risk management program; which key stakeholders are involved in the governance of the program; and how the CISO should interact with the program. In this second installment of our two-part article series, we hear from the chief risk officer on ideas for program revitalization and minimizing risk and from the general counsel on understanding and implementing applicable laws, and all four stakeholders provide practical takeaways. Part one set forth the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and strategy. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    What In-House and Outside Counsel Need to Know About ACC’s First Model Cybersecurity Practices for Law Firms

    The publicized breaches of major law firms last year served as a wake-up call for the legal industry, signaling the importance of having effective cybersecurity measures in place. On the heels of these breaches, the Association of Corporate Counsel released a set of model cybersecurity practices to help in-house counsel set expectations with respect to the data-security practices of their outside counsel and serve as a benchmark for best practices. But how realistic are those guidelines? Justin Hectus, the CIO and CISO of Keesal, Young and Logan, told The Cybersecurity Law Report that “the reality is that it’s a buyer's market right now in legal. If a law firm is not willing to do these kinds of things in order to keep the clients’ data safe, then another firm will be willing to do it, as there are plenty of firms that take these steps even absent client pressure.” We analyze the guidelines’ recommendations with input from Hectus on the practicality of their implementation. See also “Eight Attributes In-House Counsel Look For in Outside Cybersecurity Counsel” (Jun. 8, 2016); and “How Law Firms Should Strengthen Cybersecurity to Protect Themselves and Their Clients” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Preparing For Ransomware Attacks As Part of the Board’s Fiduciary Duty

    Managing enterprise cybersecurity risk is a key obligation of a company’s general counsel and board of directors. The rapidly increasing frequency and sophistication of ransomware attacks in particular have made them a pervasive and challenging part of that enterprise risk. Debevoise partner Jim Pastore spoke with The Cybersecurity Law Report about what GCs and boards need to know about ransomware and how those stakeholders can effectively fulfill the board’s cyber-related fiduciary duty to the company. Pastore will be a panelist at Skytop Strategies’ Cyber Risk Governance conference on March 16, 2017 in New York. An event discount registration link is available to CSLR subscribers inside this article. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    A CSO/GC Advises on How and When to Present Cybersecurity to the Board 

    As more boards come to understand cybersecurity as a critical issue that cannot be ignored, briefings on the topic have become more common. Those with the responsibility for presenting such briefings must understand what information is essential for the board to know and how to communicate it effectively. Dr. Chris Pierson, EVP, chief security officer and general counsel for Viewpost, a FinTech payments company, and the former CPO, SVP for the Royal Bank of Scotland’s U.S. banking operations, spoke to The Cybersecurity Law Report about his experiences briefing the board on cybersecurity and shared his insights on the most effective reporting structure, how to obtain buy-in and budget and the importance of communicating business advantage. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Strategies for In-House Counsel Responsible for Privacy and Data Security 

    Preparing for, preventing and responding to privacy and data security litigation are crucial aspects of the in-house attorney function. Key responsibilities for the role will often include developing training programs and privacy policies, working with the board, choosing the right outside counsel and effectively coordinating with them during major events. As part of a recent Practising Law Institute conference, a panel of in-house and outside attorneys from Greenberg Traurig, Glassdoor, Inc., Activision Blizzard and Pandora Media, Inc., discussed successful approaches to these tasks, as well as lessons learned from mistakes. See “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)” (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Eight Attributes In-House Counsel Look For in Outside Cybersecurity Counsel

    When it comes to handling cybersecurity issues, in-house counsel can help minimize the company’s legal risks – but they cannot do it alone. By partnering with an outside firm, in-house counsel can boast security expertise and navigate through unfamiliar territory such as compliance with local, state and national privacy and security requirements, data breach litigation and corporate governance. The Cybersecurity Law Report spoke to a number of in-house counsel who advise on cybersecurity issues at major companies such as ExxonMobil and IBM. They discussed eight attributes they look for in outside cybersecurity counsel, when they find outside counsel most valuable and the importance of vetting the firm’s own cybersecurity practices. See also “The Multifaceted Role of In-House Counsel in Cybersecurity” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    What CISOs Want Lawyers to Understand About Cybersecurity

    As security and privacy threats and regulations proliferate, it is more important than ever for in-house counsel to collaborate with a company’s information security team to mitigate risks and protect their organization’s confidential information. At a recent panel at Georgetown Law’s Cybersecurity Law Institute, CISOs from Deloitte, BDP and Northrop Grumman shared advice about how lawyers and information security professionals can achieve that goal. The panelists addressed fostering a collaborative relationship, areas of tension between legal and IT, and how counsel can more effectively act as advocates for mitigating data security and privacy risk. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape”: Part One (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    A Look Inside the Cybersecurity and Privacy Law Department of a Top Defense Company

    The “bad guys” seeking to hack into systems of defense companies want sensitive information not for commercial success, but to do our nation and our allies harm, and that changes the cybersecurity equation, Raytheon’s John Smith told The Cybersecurity Law Report. In a Q &A, Smith, the vice president, cybersecurity and privacy, and general counsel of the global business services group at Raytheon, discusses how the Raytheon cybersecurity and privacy department is structured, when outside counsel is called in, how Raytheon approaches information sharing, why the new Department of Defense cybersecurity guidance is flawed, and more. See also “How the American Energy Industry Approaches Security and Emphasizes Information Sharing” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Steps for Companies to Take This Week, This Month and This Year to Meet the Challenges of International Cyberspace Governance

    The borderless nature of cyberspace demands adequate global security and governance, and companies must protect their data across jurisdictions. At the recent 2016 RSA Conference, experts explored the challenges of global cybersecurity and governance; identified key efforts to address these issues; provided nine practical steps companies should be taking now to protect themselves; and examined the cybersecurity laws of 13 countries. The panel featured Alan Charles Raul, a Sidley Austin partner; John Smith, Raytheon vice president, legal, cybersecurity and privacy; and Michael Sulmeyer, director of the Cyber Security Project at Harvard Kennedy School’s Belfer Center. See also “Deal Struck to Maintain the Transatlantic Data Flow” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    In-House and Outside Counsel Offer Strategies for Navigating the TCPA, Avoiding Litigation and Responding to Breaches

    How can in-house counsel better position their companies to prevent and manage class action lawsuits resulting from Telephone Consumer Protection Act (TCPA) violations and cybersecurity incidents? At a recent PLI program, Hilary E. Ware, vice president and associate general counsel, litigation and regulatory affairs, at Netflix, Inc.; Renée T. Lawson, vice president and deputy general counsel at Zynga, Inc.; and Monica S. Desai, a partner at Squire Patton Boggs, discussed TCPA best practices and potential pitfalls; how to get ahead of litigation risks; and strategies for managing privacy, security and TCPA class litigation. See also “What Companies Need to Know About the FCC’s Actions Against Unwanted Calls and Texts” (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)

    “Cybersecurity is an enterprise risk issue that should ultimately rise to the level of the board of directors,” Ivan Fong, senior vice president, legal affairs and general counsel of 3M Company, advised. Understanding the role of the board, and counsel’s role working with the board, is integral for managing cybersecurity risk effectively. Part one of this two-part article series examines the increased role of directors in ensuring companies are appropriately protected against cyber threats and how management, including in-house counsel, should communicate with the board and keep it updated and informed. Part two will address the litigation risks faced by the board and individual directors and how to limit that liability, including details about the role directors should play to satisfy their fiduciary duties. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    The Multifaceted Role of In-House Counsel in Cybersecurity 

    To effectively advise corporations on cybersecurity issues, in-house counsel must navigate myriad issues that can vary across industries, state and international jurisdictions as well as privacy and information security contexts.  A recent PLI program brought together privacy and information security counsel from various industries to share insights on the role of in-house counsel charged with securing business-critical and confidential data and technology.  They discussed the different responsibilities for data privacy and cybersecurity professionals, international data privacy and protection laws, and offered strategies for in-house counsel to prevent internal cybersecurity threats, develop breach prevention and response policies and handle vendors.  The panel was moderated by Lori E. Lesser, a partner at Simpson Thacher, and included top practitioners Rick Borden, chief privacy officer at the Depository Trust & Clearing Corporation; Nur-ul-Haq, U.S. privacy counsel at NBCUniversal Media; Michelle Ifill, senior vice president at Verizon and general counsel of Verizon Corporate Services; and Michelle Perez, assistant general counsel of privacy for Interpublic Group.  See “Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015); and Part Two, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations

    In a ruling that may clarify how companies should conduct breach responses to preserve privilege, on October 23, 2015, a federal district court in Minnesota found that certain documents created during Target’s internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine.  The Target case “is one of the first cases we are seeing in the data breach context where the privilege issue has been tested,” Michelle A. Kisloff, a partner at Hogan Lovells, said.  The Court’s denial of class plaintiffs’ motion to compel production of these documents recognized “that data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege,” Michael Gottlieb, a partner at Bois, Schiller & Flexner, told The Cybersecurity Law Report.  See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Cybersecurity 2.0: The Role of Counsel in Addressing Destructive Cyberattacks

    Companies rightly pay attention to data exfiltration threats, but sometimes overlook the more serious threats of destructive attacks, David Fagan and Ashden Fein, partner and associate, respectively, at Covington & Burling, argue in this guest article.  They explain that the difference between data loss or theft (which may be viewed as “Cybersecurity 1.0”) and data and property destruction (“Cybersecurity 2.0”) is the difference between having your house robbed and having your house burned to the ground.  They detail the evolution of cyber threats and how counsel can help protect against these destructive cyberattacks that are aimed at harming a business, rather than directly benefiting the attacker.  See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 7 (Jul. 1, 2015); Part Two of Two, Vol. 1, No. 8 (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Preserving Privilege Before and After a Cybersecurity Incident (Part Two of Two)

    With the looming threats of post-breach litigation and regulatory enforcement actions, preserving privilege in connection with a company’s cybersecurity efforts – both before and after an incident – is critical to encouraging openness in assessing and addressing a company’s vulnerabilities.  Unless companies take the proper steps, however, communications and other documentation that could have been protected by the attorney-client and work product privileges will be open to discovery.  The first part of The Cybersecurity Law Report’s series on preserving privilege addressed pre-incident response planning and testing activities.  This article, the second part of the series, addresses how to retain privilege during post-incident response efforts. 

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two)

    The attorney-client and work product privileges are powerful tools that assist companies in honestly examining cybersecurity gaps, preparing for incidents, and responding to breaches without concern that discussions and recommendations about a company’s vulnerabilities will be subject to future litigation.  Those privileges are “a way of fostering an open consideration of the issues without fear it will necessarily have ramifications,” Alexander Southwell, a partner at Gibson Dunn, told The Cybersecurity Law Report.  Preserving the privilege when preparing for a breach, however, is difficult unless a company properly distinguishes legal analysis from regular operational tasks.  This article, the first of a two-part article series, addresses steps companies should take to preserve privilege in pre-incident response planning and testing activities.  The second part will address how to retain privilege during post-incident response efforts.  

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    How Can a Company Mitigate Cyber Risk with Cross-Departmental Decisionmaking?

    A lack of coordination among company units can be detrimental in many business areas, but when it comes to cybersecurity, isolated actions and decisions can pave a clear path to a data breach, and exacerbate the legal ramifications of that breach.  In a guest article, Jennifer Topper of Topper Consulting explains: why cross-functional decisionmaking is so important in cybersecurity; how to make the business case for investing in proactive cyber planning; how to integrate the cybersecurity program; how to create a multidisciplinary group of stakeholders; and the role of the general counsel in information governance.

    Read Full Article …