Advising Lawyers on Technology?

Steven Chabinsky, SVP Legal Affairs General Counsel and Chief Risk O, CrowdStrike, Steven Chabinsky is General Counsel and Chief Risk Officer for Crowd Strike, a cyber security technology firm that specializes in continuous threat mo...  More >>

If you were to ask whether lawyers want to help in this regard, I would give you the classic lawyer answer: it depends. I don’t know of many attorneys who have free time on their hands, and most would just as soon not have yet another major issue on their plates. On top of that, many attorneys feel they lack the technical expertise to weigh in on technology and data security issues. Still, attorney involvement is becoming unavoidable, and many lawyers already are standing front and center in this area. Over the last few years, lawyers (whether corporate counsel or outside counsel) increasingly are expected to understand the implications of cyber security when providing advice relating to a long list of matters that include—federal, state and international privacy laws, regulations, and emerging standards, contract negotiation and compliance, contract indemnity limits and insurance coverage for security incidents, public/private security partnerships, employee monitoring, BYOD considerations, vendor and outsourcing requirements, M&A due diligence, incident response (to include working with outside counsel, forensic firms, law enforcement, and regulators), network breach reporting obligations, data breach litigation, and Congressional testimony.

“I believe IT and network security practitioners can benefit equally from their legal department’s help”

You also may find that, from a corporate governance perspective, many companies give greater weight to the advice of lawyers based on the view that they are neutral brokers. As a result, the lawyer, as a trusted and unbiased advisor with possible insight into all aspects of the business, may be uniquely qualified to help the CIO and the CISO navigate corporate (and Board) risk calculations that must conform customer deliverables and workforce expectations with informed security, shifting legal requirements, and constrained resources.

An additional reason that lawyers are becoming more edu­cated and active when it comes to cyber security involves their professional ethics obligations. Criminal hackers and foreign intelligence operatives are actively, and successfully, targeting and stealing sensitive information from law firm networks and from in-house counsel precisely because lawyers have access to a broad range of privileged, highly sensitive information. This fact puts into play three significant attorney obligations: the duties of confidentiality, supervision, and competence. With re­spect to confidentiality, attorneys generally are prohibited from revealing information relating to the representation of a client unless the client consents. That obligation extends beyond inten­tional disclosures. Lawyers have long known, for example, that they are not allowed to discuss client confidences carelessly in public, or to leave privileged documents unattended or improp­erly secured. Naturally enough, the duty of confiden­tiality applies equally when communicat­ing by phone, text, or email, or when storing information on a laptop, thumb drive, or in the cloud. Lawyers also must properly supervise others in the firm or the company with access to attorney-client privi­leged information.

Perhaps less obvious than the duties of confi­dentiality and supervi­sion is that a cyber secu­rity requirement extends directly to an attorney’s ethical obligation of competence. Attorneys might think that this duty only requires that they be competent to provide le­gal advice in their particular area of practice (take tax law for example). Not so. Competence also extends to data security. From the CIO’s perspective, you will be interested to know that the group that regulates attorneys in at least one State determined that “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s elec­tronic files and to eval­uate and de­ploy appro­priate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consult­ant who does have such competence.”In response to this mandate, a number of at­torneys have found it helpful to turn to the plainly stated NIST framework as their source of reference when engaging with experts to assess and mitigate their risks.

In short, attorneys will increasingly rely upon the CIO, CTO, and CISO when fulfilling their expanding risk management roles within organi­zations and to help them comply with their professional ethical obligations. I propose that IT and network security practi­tioners can benefit equally from their legal depart­ment’s help. Although working with lawyers may lead to unwanted ques­tions and oversight, the result is likely to be shared responsibility over dif­ficult risk decisions and an influential advocate in your corner.