The increased regulation of data privacy and cybersecurity is only half the reason in-house legal should help ensure their organizations are serious about breaches; the other half is the expectation of business partners who increasingly won’t do business with companies that don’t have protections in place, Otterbourg Partner Erik Weinick says.
“Companies are being forced by contractual provisions,” Weinick told Legal Dive. “If they are a small company but are doing business with a large company, as a condition of doing business with them they have to change what they’re doing from a privacy or security standpoint.”
Small and mid-sized companies are starting to get that message, said Weinick, co-founder of his firm’s data privacy and cybersecurity practice group. Until recently, many companies thought that because they’re small or don’t typically hold sensitive information, they’re not a target of threat actors, and even if they are, there’s little they can do to prevent an incident given that large companies that invest heavily in security still get breached.
“‘Look at all these big companies that spend tens or hundreds of millions of dollars a year on security and still get attacked,’” he said, sharing the thinking of some companies. “‘Why should I bother? I’ll just deal with it.’”
Weinick encouraged counsel that don’t have resources to add in-house technical and legal expertise to start with outside counsel to boost their privacy and security posture. The outside firm will bring to the company well-established relationships with insurance companies, technical specialists and law enforcement agencies.
This network can apply lessons learned from incidents they’ve worked on to preventative efforts and, should an incident occur, a tightly scripted response that can lessen the impact.
“There’s still a misconception out there that, depending on the type or size of the organization, it’s not going to happen to them or if it happens they’ll deal with it or be covered by their general insurance policy, so most of our calls are from people who are unprepared,” Weinick said.
Outside counsel can also help ensure internal communications about privacy and security stay confidential in the event there’s an incident and plaintiffs' attorneys try to get those communications in discovery.
“If all the information flow is going through that counsel in coordination with the general counsel, that increases the likelihood that a privilege may be maintained,” he said. “Some business folks think, as a matter of course, that if they copy the inside counsel on every piece of correspondence, it becomes magically privileged even though it’s an ordinary-course business communication. It has to be actually protectable information. It can’t be that just copying certain people makes it privileged.”
To improve the likelihood privilege attaches, communication about technical and finance matters related to privacy and security should be related to the general counsel or outside counsel providing legal advice.
For example, if outside counsel recommends a security measure that the internal finance team hesitates to authorize because of cost, the back and forth about that is likely to be privileged if the in-house counsel weighs in on what to do from a legal standpoint.
“If the in-house counsel says to the board or whoever the ultimate decision-maker is … my ultimate recommendation is that it’s a necessary expense [based on what our outside counsel says], that should be protected,” he said. “What the in-house counsel has done there is collected information to inform legal advice they’re giving.”
What you don’t want is to have, outside of a privilege context, internal communication where the company decides, maybe for budget reasons, it doesn’t want to implement a costly security measure recommended by outside expertise.
“You don’t want to have an email from, say, an outside technical expert that went to an inside technical expert that says you should do x, y and z, and that inside technical expert sends that to the budgeting office and they say it’s not worth it,” he said. “And then the attack winds up preying on the exact vulnerability. That just provides a road map to the plaintiffs’ attorney as to what you could have done but failed to do to prevent the attack.”