Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are cybersecurity lawyers necessary for organizations?

Cybersecurity lawyers can help handle a variety of enterprise security issues, but are they necessary? Expert Mike O. Villegas discusses the potential benefits.

I heard that some industries, such as financial and healthcare organizations, are starting to keep cybersecurity...

lawyers on retainer. With so many different security practices and standards to keep up with, including compliance and privacy policies, it sounds like a good idea. Before we spend the money on a cybersecurity lawyer or law firm, do you think it's necessary? And if so, what enterprise issues should they focus on?

Internal legal teams are becoming increasingly educated in cybersecurity, but they will still call on cybersecurity lawyers for assistance when a security incident occurs. The threat of security breaches constantly grows in frequency and complication, so it is no wonder that enterprises are starting to hire cybersecurity lawyers or keep them on retainer. But is this really necessary? It may not be necessary to hire a cybersecurity lawyer for the organization, but keeping one on retainer is probably a good idea.

An attorney retainer is an estimated amount of money an attorney believes that will cover the costs of legal representation in the event of a breach. The money is held in a noninterest-bearing account and the lawyers pay themselves with it for billable hours throughout the litigation process.

Retainer fees are also used when a client needs to hire an attorney for a long-term relationship. For example, companies can have cybersecurity lawyers on retainer in the event a breach or cybersecurity incident in the course of the business' everyday work. Cybersecurity attorneys need a sufficient retainer to be called upon when needed, but it doesn't need to cover an entire litigation -- whether or not that will be necessary cannot be determined until the security breach or major incident occurs. The attorneys kept on retainer for these cases need to be specialists in cybersecurity and have experience in possible breaches that could occur within the specific industry and enterprise. This type of retainer provides a less expensive alternative to hiring an in-house legal team specializing in cybersecurity.

Issues that cybersecurity lawyers can assist include:

  • Cybersecurity insurance coverage: Since cybersecurity insurance companies are limiting coverage because of recurring breaches, and are now questioning whether due diligence was taken by the enterprises as part of the insurance policy, a cybersecurity specialist can help ensure the company has sufficient insurance coverage.
  • Cybersecurity breach: When a breach occurs, cybersecurity lawyers can determine what recourse the enterprise has for litigation against the perpetrator, communication with stockholders and customers, possible legal and regulatory violations, and guidance on dealing with media relations.
  • Cybersecurity forensics: Cybersecurity forensic professionals typically know how to manage the chain of evidence, but eventually a cybersecurity lawyer needs to determine how to use this evidence for possible litigation.
  • Cybersecurity lawsuits: This includes situations where the enterprise has been alleged or proven to mishandle or be negligent in the protection of customer information or assets.
  • Cybersecurity executive protection: Due to certain laws and regulations, enterprise executives, including the CISO, bear personal liability for breaches and major cybersecurity incidents. Cybersecurity lawyers can provide assistance in limiting their liability and possible litigation.

Cybersecurity law firms engage subject matter experts in cybersecurity forensics, cybersecurity laws, media relations and liability insurance. In light of recurring and ever increasing data breaches and regulatory requirements, having cybersecurity lawyers either on retainer or on staff is becoming a normal matter of doing business.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn the three areas where security pros and lawyers should work together

Find out the best ways for CISOs to work with lawyers

Discover more about the new trends in security vendor liability

This was last published in May 2016

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization have cybersecurity lawyers on retainer or on staff? Why or why not?
Cancel
The answer to whether cyber security lawyers are needed is an absolute
yes in my opinion. When you’re in trouble, you need the right kind of help –
not just help in general. Otherwise, you’ll find it costs you more and probably
hurts you more as well. Whether the lawyer needs to be on a retainer is a
separate item. If you need a cybersecurity lawyer, do you need them that day or
a few days later? It seems like in most cases you can wait a couple days as you
should be spending Day 1 (and probably Day 2+) determining what was hacked and
how. So, instead of investing in a retainer for a lawyer, you should probably
invest in the right people or equipment that help you determine how you were
breached. Check out this whitepaper for more information - https://www.ixiacom.com/resources/white-paper-architecting-security-resilience.
Cancel
The answer to whether cyber security lawyers are needed is an absolute yes in my opinion. When you’re in trouble, you need the right kind of help – not just help in general. Otherwise, you’ll find it costs you more and probably hurts you more as well. Whether the lawyer needs to be on a retainer is a separate item. If you need a cybersecurity lawyer, do you need them that day or a few days later? It seems like in most cases you can wait a couple days as you should be spending Day 1 (and probably Day 2+) determining what was hacked and how. So, instead of investing in a retainer for a lawyer, you should probably invest in the right people or equipment that help you determine how you were breached.
Cancel
For a company that wants to be prepared and proactive, then it's definitely a good idea. I doubt many organizations fit into this category though. 
Cancel
I would say yes. You want a specialized lawyer who knows this area in great detail. It only makes sense to hire someone with the correct skill set. Would you want a personal injury handling your divorce? Of course not. You want someone who asks the right questions and can protect your companies digital assets. Having one permanently on staff may not be cost effective, but have someone you can trust when needed and fast. You don't want to have to wait a week for them to be available.

Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close