igor - Fotolia
I heard that some industries, such as financial and healthcare organizations, are starting to keep cybersecurity lawyers on retainer. With so many different security practices and standards to keep up with, including compliance and privacy policies, it sounds like a good idea. Before we spend the money on a cybersecurity lawyer or law firm, do you think it's necessary? And if so, what enterprise issues should they focus on?
Internal legal teams are becoming increasingly educated in cybersecurity, but they will still call on cybersecurity lawyers for assistance when a security incident occurs. The threat of security breaches constantly grows in frequency and complication, so it is no wonder that enterprises are starting to hire cybersecurity lawyers or keep them on retainer. But is this really necessary? It may not be necessary to hire a cybersecurity lawyer for the organization, but keeping one on retainer is probably a good idea.
An attorney retainer is an estimated amount of money an attorney believes that will cover the costs of legal representation in the event of a breach. The money is held in a noninterest-bearing account and the lawyers pay themselves with it for billable hours throughout the litigation process.
Retainer fees are also used when a client needs to hire an attorney for a long-term relationship. For example, companies can have cybersecurity lawyers on retainer in the event a breach or cybersecurity incident in the course of the business' everyday work. Cybersecurity attorneys need a sufficient retainer to be called upon when needed, but it doesn't need to cover an entire litigation -- whether or not that will be necessary cannot be determined until the security breach or major incident occurs. The attorneys kept on retainer for these cases need to be specialists in cybersecurity and have experience in possible breaches that could occur within the specific industry and enterprise. This type of retainer provides a less expensive alternative to hiring an in-house legal team specializing in cybersecurity.
Issues that cybersecurity lawyers can assist include:
- Cybersecurity insurance coverage: Since cybersecurity insurance companies are limiting coverage because of recurring breaches, and are now questioning whether due diligence was taken by the enterprises as part of the insurance policy, a cybersecurity specialist can help ensure the company has sufficient insurance coverage.
- Cybersecurity breach: When a breach occurs, cybersecurity lawyers can determine what recourse the enterprise has for litigation against the perpetrator, communication with stockholders and customers, possible legal and regulatory violations, and guidance on dealing with media relations.
- Cybersecurity forensics: Cybersecurity forensic professionals typically know how to manage the chain of evidence, but eventually a cybersecurity lawyer needs to determine how to use this evidence for possible litigation.
- Cybersecurity lawsuits: This includes situations where the enterprise has been alleged or proven to mishandle or be negligent in the protection of customer information or assets.
- Cybersecurity executive protection: Due to certain laws and regulations, enterprise executives, including the CISO, bear personal liability for breaches and major cybersecurity incidents. Cybersecurity lawyers can provide assistance in limiting their liability and possible litigation.
Cybersecurity law firms engage subject matter experts in cybersecurity forensics, cybersecurity laws, media relations and liability insurance. In light of recurring and ever increasing data breaches and regulatory requirements, having cybersecurity lawyers either on retainer or on staff is becoming a normal matter of doing business.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn the three areas where security pros and lawyers should work together
Find out the best ways for CISOs to work with lawyers
Discover more about the new trends in security vendor liability
Dig Deeper on Information security laws, investigations and ethics
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading