+1-631-475-0231 barrister@yannalaw.com

Home » Services » Cyberlaw, Cyberlawyers and e–Law » Digitally literate lawyers

Digitally literate lawyers

CEOs expect the Internet to deliver ever-better customer experience while still paying dividends in faster, cheaper, and more resilient operations. They are also committed to data mining and analysis, boosting their innovation capacity, and improving decision-making. Many companies do not realize the depth and breadth of their liability exposure the moment a computer or mobile device with access to the corporate information network accesses the Internet.

Basic digital literacy

According to PwC (PricewaterhouseCoopers), in a digitally based business environment, general counsel need to be digitally literate. The digital equivalent of basic reading and writing is having sufficient knowledge about networked IT hardware and software systems to be able to ask the right questions and apply legal judgment and resources to a variety of corporate issues. The digitally literate GC (General Counsel) must understand the purpose, the basic functions and the particular risks associated with all the cybersystems upon which their client relies and upon which operation of their business depends; but that is not enough. Counsel must understand the relationship between the client cybersystems and the way those systems interact and relate to all the other systems within the larger cyberenvironment “space”.

What to expect from a digitally literate GC

The digitally literate GC must effectively represent and protect the interests of their client not just in both the normal course of business and in a cybersecurity crisis. Government regulators are beginning to apply a “broken windows” analysis to those corporate IT environments that experience breach events—emphasizing the conditions which existed before the event and the individuals responsible for those conditions. The GC must be able to manage both mandatory obligations imposed by the laws and regulations of many jurisdictions those obligations assumed by contract and under industry standards. Corporate boards are increasingly focusing on cyberrisks, and the corporate and personal liability resulting from cybersecurity failures. As they become more familiar with these issues, they also are coming to expect that the company GC understands the basic structure and operations of the cyberworld, how the company participates in it, and the legal risks that participation assumes. Oversight of cybersecurity by the Board of Directors of any corporation whether public or closed is now universally required by regulators and the courts. Breaches of cyber security are now recognized as a primary corporate risk.

The “cyber” obligations of corporate Directors

  • Boards which recognize the need for cybersecurity tend to require prompt and thoughtful answers to a number of immediate questions
  • What are the significant cybersecurity risks the Company now faces?
  • How have those risks been identified and ranked?
  • Who is responsible for managing and staying current on the potential effects of these risks
  • Who is going to be the “leader” of the response when a cybersecurity event occurs?
  • What corporate governance mechanisms are in place to ensure controls are effective and provide meaningful information to management and the Board of Directors?
  • How can the Board of Directors properly evaluate the information they obtain from management about cybersecurity and be assured that it is trustworthy?
  • How will the Board of Directors stay informed on changes in cybersecurity risks the Company faces?
  • How will the Company be viewed by its customers, shareholders, lenders, insurers and regulators in the event of a cybersecurity event?

There is an immediate need in every company connected in any way at any time to the Internet whether deliberately, inadvertently, or malevolently, to implement a cybersecurity governance oversight program implementing a set of common-sense cybersecurity-related business activities that are formally managed and documented. The goal of such a cybersecurity governance oversight program is to establish that the Corporation and its Board of Directors have in place at the time of a cybersecurity breaCH an “effective compliance program” as defined under the U.S. Sentencing Guidelines for Organizations. At the very minimum security governance oversight program must include:

  • Standards and procedures, based on a well documented and realistic risk assessment. Active oversight of the program by the Board of Directors.
  • Management implementation and operation of the program with regular reports to the Board of
  • Directors with immediate notification to each of the members of the Board at the time any cybersecurity event occurs.
  • A single (senior-level) point of responsibility.
  • Active due diligence including, but not limited to, background checks upon hiring and promotion, together with regular interim background checks including a requirement for financial disclosure reporting similar to that required of public officials, for each and every individual whose relationship to cybersecurity within the Company makes their position “cybersecurity sensitive.”
  • Communications and training.
  • Monitoring and auditing.
  • Behavioral reinforcement of cyber security policies including meaningful discipline and significant incentives, including appropriate remuneration for individuals and cybersecurity sensitive positions.
  • Appropriate response to discovery of any employee or contractor misconduct affecting cybersecurity within the Company.
  • The existence of such a cybersecurity governance oversight program provides a risk-driven oversight umbrella considering roles and processes within the Company to anticipate, identify and prevent cyberevents.
  • At a minimum, the cybersecurity-related standards and procedures component of the compliance framework should comply with one of the better-known cybersecurity-specific standards such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, ISO 27001 or the SANS Institute Critical Security Controls.

Not if, but when.

The “when” in this old adage refers not to the date of the breach, but rather the date when the company first realizes that a breach occurred which, unfortunately is often long after the cybersecurity breach event occurred. There is now a substantial probability, approaching certainty, that some kind of cyber security breach event will eventually occur in every Company of economic importance or public interest as a result of efforts a broad spectrum of perpetrators with a variety of motives including financial, sociopolitical, ideological, simply mischievous or wantonly malicious. The unpredictable but generally serious and often catastrophic consequences of a cybersecurity breach demands anticipation and planning by the Company. Cybersecurity breach events include, but are certainly not limited to, theft of trade secrets and other intellectual property, some of which may belong to third parties and be subject to strict non-disclosure agreements; theft and disclosure of information involving individuals and the Company; disruption of Company operations ranging from simple denial of service attacks and recruitment of some or all of the company computers by various botnets to serious and often permanent and irreparable damage to machines and production equipment. The list of potential damage to a Company from a cybersecurity breach is limited only by the imagination of those causing the breach and that list must be anticipated by Company management before the cybersecurity breach occurs.

The attorney-Client privilege

There is a problem unique to attorneys who may become involved in dealing with cybersecurity. The attorney has a nondelegable duty to safeguard the attorney-client privilege. A useful activity corporate counsel for is to prenegotiate standby agreements with any professional service providers who might need to become immediately involved in the investigation and repair of a cybersecurity breach including, outside counsel, forensic specialists, and the point of contact at the Company insurance carrier covering cybersecurity. The claims management scenarios including, where appropriate, defense and counterclaims should be developed and approved before a cybersecurity breach occurs. Before any cybersecurity breach occurs, corporate counsel should have already identified the critical trade secrets and proprietary information which are at the heart of business success for the Company and just what personal, proprietary and other third-party information is held by the company and for which the Company will be liable if the information is improperly disclosed. Corporate counsel must be aware of the extent of any “technical debt” which may exist at the Company as a result of deferred maintenance, upgrades and patches of computer hardware and software relied upon by the Company because it will have a direct impact upon the liability of the company in the case of a cybersecurity breach. Company management and the GC must fully evaluate the extent of the risk to product production and the provision of services by the Company as the result cybersecurity breach. However, that risk assessment must include all the cyber risks to the Company from its supply chain and to customers for which the Company is part of their supply chain. Digitally literate and cybersavvy GCs should represent their clients and participate in the cybersecurity groups within and about their industry; public-private partnerships such as InfraGard; with FBI and private-sector participants focusing on critical industrial sectors; and the Overseas Security Advisory Council (OSAC), which exists to promote security and cooperation between U.S. private-sector interests worldwide and the U.S. Department of State. The demand for digitally literate Counsel is growing larger and reaching the level of a business imperative as each cybersecurity breach hits the evening news.