Cybersecurity Practices Booming In Era of the Breach

The cybersecurity woes of companies like Target and Sony in 2014 and Anthem last month have meant a busy start to 2015 for law firm data-privacy and security practices.

“After all of the headline data breaches of 2014, you have boards of directors and CEOs and general counsel asking the question, 'Are we ready for something like that?'” asks Gregory Parks, co-chairman of Morgan, Lewis & Bockius' 85-attorney privacy and cybersecurity practice.

Law firms have been preparing for several years to assist clients with data security needs, with several touting practices in a space that blends traditional legal experience in the corporate and litigation arenas with technical acumen.

Parks said his firm has seen “a huge uptick” in calls from clients looking to make sure they are protected against a breach and prepared to respond if one does happen.

“I think this year, between Target at the front end and Sony at the back end, 2014 changed awareness of these issues and made them issues that the public thinks about now,” says Dechert partner Vernon Francis, a member of the firm's cybersecurity and data privacy group.

Not Just Retail At Risk

And when the general public is aware of an issue, it creates all the more urgency for companies, which rely on the public's business, to make sure they are protecting the data they have.

But as the Sony hacking situation showed, it isn't just companies in the retail or financial services space that are targets for a breach.

Morgan Lewis has traditionally focused its privacy practice in the financial services, retail, health care, energy and hospitality and travel industries. But Parks said that, unlike 10 years ago, “cybersecurity is absolutely an issue for every company.”

Getting every company's buy-in, however, can be a challenge.

“The real issue that general counsel confront ' is often [having] a hard time about getting C-suite buy-in before there is a problem,” says Scott Vernick, head of Fox Rothschild's privacy and data security practice. “'Why should we bring in Fox, we don't have a problem?'”

Creating Response To Data Breach

But increasingly, Fox Rothschild is being called on to help clients be prepared to respond to a breach if one does occur, Vernick says. While many firms have focused on putting data security policies in place for clients, creating incident response plans has been a growing part of Vernick's practice, he says.

Creating such a plan requires teamwork between the company's IT department or an outside tech vendor and guidance from the law firm.

“There's certainly been a growth in this [practice] area at every level,” but many companies, especially in unregulated industries, are “not so much focused on this,” says Fernando Pinguelo, chair of the cybersecurity and data protection practice at Scarinci Hollenbeck's Ocean, NJ, office.

“It's unfortunate because there are simple steps that can be taken to line up the right people,” Pinguelo added. “Businesses need to do more than just talk about this. ' They want to be able to pick up the phone and get a human being who is able to orchestrate what their next steps are.”

Vernick says he will often start by showing a client a letter from a multistate attorney-general investigation sent to a company and say, “Here are the questions you will be asked when there is a breach. Are you ready to answer the questions? If you are not ready, we'll get you ready.”

Clients have long had incident response plans, but they are focused on the IT response and often not understood by or applicable to a compliance officer or general counsel, Vernick says. Fox Rothschild has created templates that it will customize for each client, according to Vernick.

“What do you have, who has access to it and how long are you keeping it. That's what we build our plans around,” Vernick says. “You can't be ready to respond without knowing those answers.”

Parks says there is a growing recognition that incident response plans are no longer housed solely in the IT department, but are a collaborative effort between IT, legal, and a company's public relations arm.

Law Firm Practices

A law firm's practices are also collaborative. Blank Rome litigation partner Steven L. Caponi differentiates between the traditional data-privacy practices many firms created to ensure companies were in compliance with laws like the Health Insurance Portability and Accountability Act and the focus of a cybersecurity practice.

Blank Rome had a data privacy practice for years and created its cybersecurity group less than two years ago. Caponi says his interest in the practice developed from his work in Delaware representing corporate boards. He began immersing himself in all he could about cybersecurity.

Scott Christie, a partner in Newark, NJ-based McCarter & English's cybersecurity and data privacy practice, says: “The lawyer who's coordinating [cybersecurity work] needs to walk the walk and talk the talk. ' It's vital for an attorney who professes to do cybersecurity work to have not only the legal background, but the technical background.”

A lawyer in that practice has to be able to understand the conversations he is quarterbacking between the legal and technology professionals, Caponi says.

Creating a cybersecurity practice from scratch isn't easy, and Caponi says firms should play to their existing strengths. Blank Rome does a lot of work in the maritime industry and has a big corporate governance practice, so those are two areas that dovetail with the firm's cybersecurity work, he says. The firm also focuses on data breach response and has a team that works with its M&A group.

Fox Rothschild splits its practice between pre- and post-breach work but has additional sub-focuses as well. The practice has a blog for general cybersecurity issues and a separate one for the health care industry, for example. And it created an app, Data Breach 411, detailing the different state data-breach notification laws.

Some practices, like Caponi mentioned, include a focus on M&A work.

“I see very few contracts anymore that have the appropriate security breach indemnifications,” says Duane Morris partner Sandra A. Jeskie. Jeskie heads up the firm's information technologies and telecommunications practice, which houses its cybersecurity practice. She is also a recent past-president of the International Technology Law Association (ITechLaw).

Jeskie says it is important to have a lawyer who knows about data privacy issues involved in contract negotiations. Contracts aren't often explicit about who will pay for what if a breach occurs and businesses assume the contract's general indemnification clause will cover it. But Jeskie said that indemnification clause usually doesn't kick in until there is litigation.

And as Vernick pointed out, the cost of a breach before litigation even occurs has been estimated to be upwards of $200 per record compromised. That cost includes the notification requirements outlined across some 47 disparate state laws covering data breaches.

Jeskie says she had a client forced into bankruptcy over the costs of a data breach.

Preventing a breach has cost companies money not just on outside counsel, but in-house staff and technology as well.

Parks says, however, that good data privacy is an asset for companies that garner good will, particularly from the most sophisticated of business consumers, when they are perceived as taking this issue seriously.

“This really is the case where an ounce of prevention is worth many, many pounds of cure,” Parks says.

But he warns companies not to ease up on their efforts once a plan is in place.

“It is absolutely a constantly evolving thing. This is something that every company needs to work on constantly, all the time. You can never say, 'OK we are done with cybersecurity,'” Parks says. “I liken it to the old boardwalk game Whac-A-Mole. Everything pops up and you have to hit it.”

While the headlines that got the world's attention last year involved hacking from external, sometimes foreign, sources, Jeskie says she is shocked at how often companies overlook the biggest threat ' their own employees.

Jeskie says there is a “huge gap” in compliance when it comes to inadvertent disclosures, such as a laptop left in a cab or accidentally sending confidential records to 10,000 e-mail recipients instead of one. Those things implicate data-breach notification laws too, she said.

States are becoming increasingly proactive about their data privacy laws and many cover different types of information. There is a push for federal legislation in this area. It even got a mention in President Obama's latest State of the Union address. But the legislation as it is now proposed, lawyers said, includes a preemption exception that would allow many state laws to co-exist with any federal rules.

“Whereas the point of federal law was to make it so you only had to comply with the one law, the preemption issue is going to make it even harder,” says Dechert partner Timothy Blank, co-chair of the firm's cybersecurity and data privacy practice.

The work in this space promises to continue and looks to become increasingly complex.

Gina Passarella is a Senior Staff Reporter for The Legal Intelligencer. She can be contacted at [email protected] and on Twitter @GPassarellaTLI. David Gialanella is a Reporter for the New Jersey Law Journal. Both publications are ALM siblings of e-Commerce Law & Strategy.

The cybersecurity woes of companies like Target and Sony in 2014 and Anthem last month have meant a busy start to 2015 for law firm data-privacy and security practices.

“After all of the headline data breaches of 2014, you have boards of directors and CEOs and general counsel asking the question, 'Are we ready for something like that?'” asks Gregory Parks, co-chairman of Morgan, Lewis & Bockius' 85-attorney privacy and cybersecurity practice.

Law firms have been preparing for several years to assist clients with data security needs, with several touting practices in a space that blends traditional legal experience in the corporate and litigation arenas with technical acumen.

Parks said his firm has seen “a huge uptick” in calls from clients looking to make sure they are protected against a breach and prepared to respond if one does happen.

“I think this year, between Target at the front end and Sony at the back end, 2014 changed awareness of these issues and made them issues that the public thinks about now,” says Dechert partner Vernon Francis, a member of the firm's cybersecurity and data privacy group.

Not Just Retail At Risk

And when the general public is aware of an issue, it creates all the more urgency for companies, which rely on the public's business, to make sure they are protecting the data they have.

But as the Sony hacking situation showed, it isn't just companies in the retail or financial services space that are targets for a breach.

Morgan Lewis has traditionally focused its privacy practice in the financial services, retail, health care, energy and hospitality and travel industries. But Parks said that, unlike 10 years ago, “cybersecurity is absolutely an issue for every company.”

Getting every company's buy-in, however, can be a challenge.

“The real issue that general counsel confront ' is often [having] a hard time about getting C-suite buy-in before there is a problem,” says Scott Vernick, head of Fox Rothschild's privacy and data security practice. “'Why should we bring in Fox, we don't have a problem?'”

Creating Response To Data Breach

But increasingly, Fox Rothschild is being called on to help clients be prepared to respond to a breach if one does occur, Vernick says. While many firms have focused on putting data security policies in place for clients, creating incident response plans has been a growing part of Vernick's practice, he says.

Creating such a plan requires teamwork between the company's IT department or an outside tech vendor and guidance from the law firm.

“There's certainly been a growth in this [practice] area at every level,” but many companies, especially in unregulated industries, are “not so much focused on this,” says Fernando Pinguelo, chair of the cybersecurity and data protection practice at Scarinci Hollenbeck's Ocean, NJ, office.

“It's unfortunate because there are simple steps that can be taken to line up the right people,” Pinguelo added. “Businesses need to do more than just talk about this. ' They want to be able to pick up the phone and get a human being who is able to orchestrate what their next steps are.”

Vernick says he will often start by showing a client a letter from a multistate attorney-general investigation sent to a company and say, “Here are the questions you will be asked when there is a breach. Are you ready to answer the questions? If you are not ready, we'll get you ready.”

Clients have long had incident response plans, but they are focused on the IT response and often not understood by or applicable to a compliance officer or general counsel, Vernick says. Fox Rothschild has created templates that it will customize for each client, according to Vernick.

“What do you have, who has access to it and how long are you keeping it. That's what we build our plans around,” Vernick says. “You can't be ready to respond without knowing those answers.”

Parks says there is a growing recognition that incident response plans are no longer housed solely in the IT department, but are a collaborative effort between IT, legal, and a company's public relations arm.

Law Firm Practices

A law firm's practices are also collaborative. Blank Rome litigation partner Steven L. Caponi differentiates between the traditional data-privacy practices many firms created to ensure companies were in compliance with laws like the Health Insurance Portability and Accountability Act and the focus of a cybersecurity practice.

Blank Rome had a data privacy practice for years and created its cybersecurity group less than two years ago. Caponi says his interest in the practice developed from his work in Delaware representing corporate boards. He began immersing himself in all he could about cybersecurity.

Scott Christie, a partner in Newark, NJ-based McCarter & English's cybersecurity and data privacy practice, says: “The lawyer who's coordinating [cybersecurity work] needs to walk the walk and talk the talk. ' It's vital for an attorney who professes to do cybersecurity work to have not only the legal background, but the technical background.”

A lawyer in that practice has to be able to understand the conversations he is quarterbacking between the legal and technology professionals, Caponi says.

Creating a cybersecurity practice from scratch isn't easy, and Caponi says firms should play to their existing strengths. Blank Rome does a lot of work in the maritime industry and has a big corporate governance practice, so those are two areas that dovetail with the firm's cybersecurity work, he says. The firm also focuses on data breach response and has a team that works with its M&A group.

Fox Rothschild splits its practice between pre- and post-breach work but has additional sub-focuses as well. The practice has a blog for general cybersecurity issues and a separate one for the health care industry, for example. And it created an app, Data Breach 411, detailing the different state data-breach notification laws.

Some practices, like Caponi mentioned, include a focus on M&A work.

“I see very few contracts anymore that have the appropriate security breach indemnifications,” says Duane Morris partner Sandra A. Jeskie. Jeskie heads up the firm's information technologies and telecommunications practice, which houses its cybersecurity practice. She is also a recent past-president of the International Technology Law Association (ITechLaw).

Jeskie says it is important to have a lawyer who knows about data privacy issues involved in contract negotiations. Contracts aren't often explicit about who will pay for what if a breach occurs and businesses assume the contract's general indemnification clause will cover it. But Jeskie said that indemnification clause usually doesn't kick in until there is litigation.

And as Vernick pointed out, the cost of a breach before litigation even occurs has been estimated to be upwards of $200 per record compromised. That cost includes the notification requirements outlined across some 47 disparate state laws covering data breaches.

Jeskie says she had a client forced into bankruptcy over the costs of a data breach.

Preventing a breach has cost companies money not just on outside counsel, but in-house staff and technology as well.

Parks says, however, that good data privacy is an asset for companies that garner good will, particularly from the most sophisticated of business consumers, when they are perceived as taking this issue seriously.

“This really is the case where an ounce of prevention is worth many, many pounds of cure,” Parks says.

But he warns companies not to ease up on their efforts once a plan is in place.

“It is absolutely a constantly evolving thing. This is something that every company needs to work on constantly, all the time. You can never say, 'OK we are done with cybersecurity,'” Parks says. “I liken it to the old boardwalk game Whac-A-Mole. Everything pops up and you have to hit it.”

While the headlines that got the world's attention last year involved hacking from external, sometimes foreign, sources, Jeskie says she is shocked at how often companies overlook the biggest threat ' their own employees.

Jeskie says there is a “huge gap” in compliance when it comes to inadvertent disclosures, such as a laptop left in a cab or accidentally sending confidential records to 10,000 e-mail recipients instead of one. Those things implicate data-breach notification laws too, she said.

States are becoming increasingly proactive about their data privacy laws and many cover different types of information. There is a push for federal legislation in this area. It even got a mention in President Obama's latest State of the Union address. But the legislation as it is now proposed, lawyers said, includes a preemption exception that would allow many state laws to co-exist with any federal rules.

“Whereas the point of federal law was to make it so you only had to comply with the one law, the preemption issue is going to make it even harder,” says Dechert partner Timothy Blank, co-chair of the firm's cybersecurity and data privacy practice.

The work in this space promises to continue and looks to become increasingly complex.

Gina Passarella is a Senior Staff Reporter for The Legal Intelligencer. She can be contacted at [email protected] and on Twitter @GPassarellaTLI. David Gialanella is a Reporter for the New Jersey Law Journal. Both publications are ALM siblings of e-Commerce Law & Strategy.