igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are cybersecurity lawyers necessary for organizations?

Cybersecurity lawyers can help handle a variety of enterprise security issues, but are they necessary? Expert Mike O. Villegas discusses the potential benefits.

I heard that some industries, such as financial and healthcare organizations, are starting to keep cybersecurity lawyers on retainer. With so many different security practices and standards to keep up with, including compliance and privacy policies, it sounds like a good idea. Before we spend the money on a cybersecurity lawyer or law firm, do you think it's necessary? And if so, what enterprise issues should they focus on?

Internal legal teams are becoming increasingly educated in cybersecurity, but they will still call on cybersecurity lawyers for assistance when a security incident occurs. The threat of security breaches constantly grows in frequency and complication, so it is no wonder that enterprises are starting to hire cybersecurity lawyers or keep them on retainer. But is this really necessary? It may not be necessary to hire a cybersecurity lawyer for the organization, but keeping one on retainer is probably a good idea.

An attorney retainer is an estimated amount of money an attorney believes that will cover the costs of legal representation in the event of a breach. The money is held in a noninterest-bearing account and the lawyers pay themselves with it for billable hours throughout the litigation process.

Retainer fees are also used when a client needs to hire an attorney for a long-term relationship. For example, companies can have cybersecurity lawyers on retainer in the event a breach or cybersecurity incident in the course of the business' everyday work. Cybersecurity attorneys need a sufficient retainer to be called upon when needed, but it doesn't need to cover an entire litigation -- whether or not that will be necessary cannot be determined until the security breach or major incident occurs. The attorneys kept on retainer for these cases need to be specialists in cybersecurity and have experience in possible breaches that could occur within the specific industry and enterprise. This type of retainer provides a less expensive alternative to hiring an in-house legal team specializing in cybersecurity.

Issues that cybersecurity lawyers can assist include:

  • Cybersecurity insurance coverage: Since cybersecurity insurance companies are limiting coverage because of recurring breaches, and are now questioning whether due diligence was taken by the enterprises as part of the insurance policy, a cybersecurity specialist can help ensure the company has sufficient insurance coverage.
  • Cybersecurity breach: When a breach occurs, cybersecurity lawyers can determine what recourse the enterprise has for litigation against the perpetrator, communication with stockholders and customers, possible legal and regulatory violations, and guidance on dealing with media relations.
  • Cybersecurity forensics: Cybersecurity forensic professionals typically know how to manage the chain of evidence, but eventually a cybersecurity lawyer needs to determine how to use this evidence for possible litigation.
  • Cybersecurity lawsuits: This includes situations where the enterprise has been alleged or proven to mishandle or be negligent in the protection of customer information or assets.
  • Cybersecurity executive protection: Due to certain laws and regulations, enterprise executives, including the CISO, bear personal liability for breaches and major cybersecurity incidents. Cybersecurity lawyers can provide assistance in limiting their liability and possible litigation.

Cybersecurity law firms engage subject matter experts in cybersecurity forensics, cybersecurity laws, media relations and liability insurance. In light of recurring and ever increasing data breaches and regulatory requirements, having cybersecurity lawyers either on retainer or on staff is becoming a normal matter of doing business.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn the three areas where security pros and lawyers should work together

Find out the best ways for CISOs to work with lawyers

Discover more about the new trends in security vendor liability

This was last published in May 2016

Dig Deeper on Information security laws, investigations and ethics