According to a 2020 study conducted by IBM, it takes an average of 280 days to detect a data breach. On average, the cost to remedy security breaches costs a staggering $3.86 million.
If your business is like most businesses, especially in today’s harsh Covid-19 economic environment, the costs associated with a data breach could be ruinous.
Fortunately, with the legal guidance of a cyber law attorney, proactive steps can be taken to avoid becoming the next security breach headline. Contrary to popular opinion, securing your business and being compliant with data privacy laws is not as difficult as it may seem.
Smart Businesses Have a Cyber Law Attorney on Retainer
Most businesses use information technology (IT) systems to store sensitive data and use the Internet to securely connect with their customers and business partners. Cyber law regulates, among other things, businesses’ data privacy and cybersecurity obligations in this regard. For example, there are laws concerning how businesses may maintain, own, or license sensitive data, along with mandates concerning cybersecurity preparedness. Inconveniently, there is not a universal standard for data privacy and cybersecurity that businesses can follow. Instead, nearly every U.S. state, along with varying international countries, have their own data privacy and cybersecurity requirements.
Luckily, businesses do not have to navigate the complicated world of cyber law alone. A cyber law attorney can help businesses bridge the gap between the complexities of IT governance and the nuances of cyber law. When businesses follow the legal guidance of cyber law attorneys, they are much less likely to become the next security breach headline. This is because cyber law attorneys transform businesses into cultures of security that incorporate security by design principles in all aspects of the business. The transformation results in businesses with security and compliance at the forefront of every employees’ mind. However, developing a culture of security and the benefits that come along with it does not happen overnight. A methodical process must be followed to get (and keep) an organization in a secure and compliant state.
The remainder of this post will explore the data privacy and cybersecurity lifecycle proposed by The Law Office of Maes, Ltd. This lifecycle will reveal the specific legal services that businesses should employ in their everyday operations. Finally, information concerning the recommended background and experience of cyber law attorneys will be discussed. Practitioners of cyber law require specific skillsets to be effective.
What Does a Cyber Law Attorney Do?
The lifecycle of getting a business legally secure and compliant with data privacy requirements is exhaustive, but well worth it. When, not if, cybersecurity incidents occur, businesses that take the time to prepare for the worst will be able to weather any storm. Businesses that do not take their security and compliance obligations seriously will have a much tougher road ahead.
Please note that the list of cyber law practice areas below is not exhaustive, nor are the practice areas described intended to provide legal advice. Rather, the goal of this post is to help business leaders better understand the lifecycle of data privacy and cybersecurity as it relates to cyber law. For additional information concerning any of the practice areas, click on the corresponding heading.
The number one mistake business leaders make is trying to reinvent the wheel of best practices for information systems security. Rather than attempt to develop a comprehensive security plan from scratch, cybersecurity frameworks are readily available.
A cyber law attorney knows how to align businesses in specific industries with the cybersecurity framework that was intended for them. Notably, some businesses are required to adopt cybersecurity frameworks. For example, if a company does business with the federal government, the company is obligated to follow the National Institute of Standards and Technology (NIST) cybersecurity framework. Moreover, for companies that do business in California, depending on their operations, they may be required to implement reasonable security measures in accordance with California law. California has deemed security reasonable if businesses adopt the Center for Internet Security (CIS) Controls cybersecurity framework. The list goes on.
The first crucial step every business should take is adopting a cybersecurity framework that is appropriate for the business. A cyber law attorney can provide the legal guidance necessary to make this determination. Furthermore, once the framework is chosen, the attorney can work with the business to ensure the framework is successfully implemented.
For businesses that collect data that is considered “sensitive,” they may have to comply with domestic and / or international laws concerning personally identifiable information (PII) and / or protected health information (PHI). As previously mentioned, in the U.S. there is not a universal data privacy law that applies to all businesses in all industries. Instead, there are a dizzying array of privacy laws that are dependent upon a business’ geographic location and industry.
For example, healthcare entities must comply with the Health Insurance Portability and Accountability Act (HIPAA) for patient medical records and the Health Information Technology for Economic and Clinical Health Act (HITECH) for digital records. Similarly, financial institutions must comply with the Gramm-Leach-Bliley Act (GLBA) regarding their customers’ financial data.
Beyond industry, businesses can also be subject to data privacy requirements of individual states or international countries. Unsurprisingly, the laws, rules, and regulations of states and countries are not uniform. Some laws require businesses to give consumers the option to “opt-in” to their data being collected, whereas others require businesses to give consumers the option to “opt-out.” Moreover, some privacy laws prohibit certain types of data from being collected altogether. Hence, the varying requirements of when and how data can be collected based upon a consumer’s residency can get very complicated. Consequentially, developing websites and applications with national or international presences can be a challenge.
In addition to what data can be collected and how it must be stored, data privacy laws also control who needs to be notified in the event of a breach. For example, in Colorado, if consumers’ PII data is exposed in a breach, businesses must provide detailed information concerning the breach to the affected consumers. If more than 500 consumer records are affected, businesses have a duty to notify the Colorado Attorney General’s office as well. Other states and countries have their own notification requirements, too. Thus, if a business experiences a data breach that affects consumers in every U.S. state and abroad, a lot of notification requirements are triggered.
Businesses that fail to comply with data privacy laws could run afoul of regulatory requirements and be subject to crippling fines. Additionally, in the event of a breach, the failure to abide by the law could be construed as prima facie evidence for consumers seeking damages in court. No business wants to be in this position. So, you may be wondering, how can cyber law attorneys help?
Cyber law attorneys work with businesses to determine their data privacy obligations by undergoing a thorough examination of business operations. Questions such as the following can assist a cyber law attorney in determining which data privacy laws a business needs to comply with:
- What data is being collected?
- Why is this data being collected? Is the data necessary for business operations?
- Does business’ website or app give consumers the option to opt-in to their data being collected? Depending on the residency of the consumer, should it?
- Does the business’ website or app give consumers the option to opt-out of their data being collected? Should it?
- How can consumers request for the business to disclose the data that has been collected about them and / or request its destruction?
- Where is the consumer data stored? The U.S. or abroad?
- Who is responsible for storing the data? The company itself, or a third-party vendor like Amazon Web Services?
- Is consumer data passed to different business entities in separate countries? If so, are international laws like GDPR being followed?
- How is the stored data secured? Encryption, anonymization, etc.
As these questions denote, a lot of work goes into determining which data privacy laws a business must comply with. The process is exhaustive, but well worth it. Especially for businesses’ data privacy officers that value a good night’s rest.
Many business leaders are unaware that data privacy laws require comprehensive privacy policies for websites and applications. Additionally, some companies like Google require robust privacy policies if businesses want to leverage tools like Google Analytics. Despite these mandates, many businesses either have no privacy policies at all, or copy other businesses’ privacy policies and make them their own. Both actions are big mistakes that could have costly ramifications.
There are four primary reasons businesses need to provide end users of their websites and / or applications with privacy policies:
First, businesses need to inform the end users of what data is being collected from them. It could be as simple as identifying information collected on a contact form (name and email), or more advanced information like IP addresses, website navigation, and referring websites.
Second, businesses must provide end users with an explanation of why this data is being collected. In the circumstance of a contact form, the reason for the data collection is to establish communication.
Third, depending on geographic location, businesses must explain what rights end users have to the data collected about them. These rights include whether the end user can access the data gathered about them and whether the data can be destroyed upon request.
Fourth, businesses should specify how the data collected from end users is secured – generally. Businesses do not want to divulge too much information in this regard, since malicious actors could exploit more specific information.
Securing the internal operations of a business and getting data privacy governance in order is only one part of the equation. Most businesses, if not all, rely on third-party information technology (IT) service providers and vendors. Many of these IT services can directly impact an organization’s security posture, along with an organization’s data privacy obligations.
For example, many businesses outsource data storage, credit card processing, and customer relationship management (CRM) services to third-parties. If these external parties experience a security breach, in turn, each of their customers will vicariously experience a breach. It may seem unfair, but legally, the businesses that relied upon these third parties to secure their sensitive data could be held responsible. Why? Because businesses have a duty to ensure the recipients of sensitive data entrusted to them remains secure. How is this accomplished? By contractually making sure third-parties have sound security practices in place before their services are utilized.
Cyber law attorneys are trained to not only understand how technologies work, but also how technologies should be secured. This insight is invaluable in the IT contract review and negotiation process. For instance, if a service provider’s IT contract does not specify that data will be encrypted in transit and at rest, this is a potential vulnerability. The remedy is to add a clause to the contract requiring encryption. If the service provider cannot comply, the service provider should be avoided like the plague.
Furthermore, when service providers and vendors do not live up to their end of the bargain, it is sometimes necessary to terminate the respective agreement. Whether service level agreement (SLA) metrics are not met, or other adverse events occur that justify termination, cyber law attorneys can help cancel the contract.
Accordingly, when dealing with third-party IT contracts, security can be achieved by having a cyber law attorney review and negotiate the documents. Additionally, when service providers or vendors are in breach of their contractual obligations, cyber law attorneys can assist with termination of the agreement.
After a business has implemented a cybersecurity framework and is compliant with data privacy laws (internally and externally), the next big action item is the development of a CSIRP. A CSIRP is an all-encompassing document that provides a roadmap for a business to follow when cybersecurity events, incidents, or breaches occur. At its core, a CSIRP provides a business with a methodical plan to respond to any type of security occurrence.
For example, common components of a CSIRP include the following:
- Security Classification Scheme – What constitutes a security event, incident, or breach? Should there be tiers of severity for each classification?
- Organizational Contacts – Who needs to be engaged when security occurrences arise? Should there be an escalation path?
- Detection and Analysis – Which security tools will an organization utilize to detect and analyze security occurrences?
- Investigation, Containment, and Mitigation – Depending on the type of security occurrence, what are the business’ approved processes to gather evidence and stop an attack?
- Recovery and Notification – What should the business do to learn from the security occurrence to avoid its reoccurrence? Are there data privacy laws that were triggered requiring notification to consumers and / or regulators?
- External Resources – Should the locations of external documents be referenced in the CSIRP? For example, playbooks or business continuity and disaster recovery plans.
Importantly, as this list of CSIRP components should make evident, there are no cookie cutter CSIRP templates available. Because every business is different, CSIRPs need to be customized to align with a business’ unique resources and varying levels of IT sophistication. Conveniently, cyber law attorneys have the legal and technical know-how required to develop CSIRPs for every type of business.
As alluded to in the CSIRP section, businesses should have business continuity and disaster recovery (BCDR) plans. These plans are crucial. They prepare businesses to overcome business impacting service disruptions, or full-scale disasters. Hence, when worst case scenarios are realized, while other businesses are scrambling to stay afloat, businesses with BCDR plans know exactly what to do.
Common illustrations of what BCDR plans address are as follows:
- Maximum Tolerable Downtime (MTD) – How long can an essential business service be down before the business is negatively affected?
- Recovery Point Objective (RPO) – When services fail, what is the maximum amount of data that can be lost before business is negatively affected?
- Recovery Time Objective (RTO) – When services fail, what is the anticipated amount of time required to get applicable services back up and running?
- Cross Training – To ensure one person is not entrusted to perform a critical task in the event of an emergency, who else is available and trained to perform the same task?
- Rollback Procedures – If business operations are impacted by a faulty software update, what are the procedures and processes to rollback to a prior software version?
- Alternate Locations – If a data center or corporate building is entirely lost due to a natural disaster, or some other destructive force, does the business have alternative locations to fall back on? For example, backup data centers, backup cloud computing environments, or standby office facilities.
Like CSIRPs, there are no cookie cutter templates available for BCDR plans. These plans must be customized in accordance with the people, resources, and processes utilized by the respective business. Cyber law attorneys have the technical and legal knowledge necessary to develop these crucial plans.
Once a business has established organizational resiliency by following the cybersecurity and data privacy lifecycle outlined in this post, the final step is training. After all, if the CSIRP and BCDR plans developed by an organization gather dust in a storage room, the efforts to develop the documents were useless. The only way documents such as these remain viable is with recurring training exercises. Appropriately, two of the most popular training exercises are known as red team vs. blue team and tabletop exercises.
Red team vs. blue team exercises entails pitting members of an organization’s IT team against themselves. The red team will be tasked with uncovering and exploiting known and unknown vulnerabilities of the business’ IT infrastructure. Vulnerabilities are usually exposed with Kali Linux port scanners or other advanced penetration testing methodologies.
Conversely, the blue team is tasked with defending the organization. Specifically, their job is to successfully detect the Red Team’s efforts and mitigate them. Throughout the exercise, the business’ CSIRP and corresponding documents such as playbooks and BCDR plans should be utilized. A playbook refers to a document developed by a business that provides step-by-step instructions to respond to an anticipated security threat. Ultimately, the goal of the exercise is to ensure the blue team has the documentation required to successfully respond to the threat posed by the red team.
Similarly, tabletop exercises also utilize a business’ CSIRP, BCDR, and playbook documentation. However, unlike red team vs. blue team exercises, tabletop exercises do not involve the use of technologies. Rather, the exercise is based on roleplaying. For example, common tabletop exercises include members of the cybersecurity incident response team (CSIRT) gathering around a table. Prior to or during the meeting, cybersecurity threats the business could face are devised. Subsequently, the CSIRT will discuss each of their roles and responsibilities concerning how the cybersecurity threats would be mitigated and remediated. These roles and responsibilities should be clearly documented in the CSIRP, BCDR, and / or playbooks.
When red team vs. blue team or tabletop exercises are performed, a cyber law attorney should be present. The attorney can help the business understand if there are weaknesses in their plans. Since technologies and attack vectors are constantly evolving, so too must CSIRPs, BCDRs, and playbooks. Otherwise, when they are needed most, they could prove to be useless. Moreover, depending on the type of exercise, the cyber law attorney can also provide feedback when data privacy notifications would be triggered.
Even with the best people, processes, and technologies, security breaches can and do occur. Whether it is because of a zero-day-exploit that no one has seen before, or because of a careless employee, there is nothing a business can do to be 100% secure. Although by following the data privacy and cybersecurity lifecycle outlined in this post, they can get close.
Nevertheless, when security breaches occur, businesses that have adopted a culture of security can overcome any obstacle. These businesses have the documentation and training required to mitigate and recover from attacks. They also have processes and procedures to learn from the attack and stop it from reoccurring.
Conversely, when businesses do not have the people, processes, and technologies available to respond to security breaches, they are in for a world of hurt. They will be forced to piece together the data privacy and cybersecurity lifecycle outlined in this post on the fly. Needless to say, the business leaders responsible for the organization will have their work cut out for them. Work that should have been done months – if not years – beforehand will have to be completed in days.
From a legal perspective, the costs of representation for a security breach will vary depending on how well the organization has prepared. If a cyber law attorney has worked with a business to implement organizational resiliency with a comprehensive data privacy and cybersecurity foundation, costs will be much less compared to an organization that has done nothing.
Cyber law attorneys do everything in their power to avoid litigation. However, sometimes, it is unavoidable. Businesses commonly require cyber law litigation representation under one of two circumstances: either the business is suing or being sued. Lawsuits are filed against businesses when there are allegations of data privacy or cybersecurity impropriety. Likewise, businesses sue when they are seeking injunctive relief or damages against individual(s) or business(es) for cybercrimes.
In either circumstance, businesses are advised to retain cyber law counsel that has both familiarity with the technology at issue and litigation experience. Since very few judges and jurors have technical backgrounds in IT, it is up to the cyber law attorney to make complicated IT issues comprehendible. This is achieved by breaking down complex subject matter into simple concepts that laymen can understand. Clearly, cyber law litigators can only make complex subject matter appear simple in briefs, oral arguments, and summations when they fully understand the IT at issue.
Ideally, you now have a much better perspective of what cyber law entails, along with the types of legal services that cyber law attorneys provide. Let us now discuss the background and experience that effective cyber law attorneys should possess.
Cyber Law Attorney Background and Experience Overview
Importantly, states like Colorado do not certify lawyers as specialists in any field of law. This means that any duly licensed attorney in Colorado can practice cyber law. However, in whatever field of law attorneys choose, they have a legal and ethical duty to be competent. Being competent in cyber law, in this author’s opinion, requires technical expertise with IT and a thorough understanding of domestic and international data privacy laws.
Technical expertise with IT for cyber law attorneys, in this author’s opinion, this can be demonstrated in three ways:
First, by obtaining a degree in computer science or information technology from a reputable educational institution. However, the degree should be commensurate with modern technologies. Since technologies change, a degree from 15 years ago, on its own, may not be enough.
Second, by getting hands on experience with technologies. Many skilled and talented technologists are self-taught. By picking up an instructional book, pursuing online training, or experimenting with a lab environment, an attorney can gain technical competency.
Third, by obtaining contemporary IT engineering certifications. Since most certifications are valid for two or three years, or require ongoing training for renewals, this methodology ensures competency with modern-day technologies.
The methodologies outlined herein to gain technological competency are by no means exhaustive. However, most attorneys that practice cyber law have followed one or more of these paths.
Regarding data privacy competency for cyber law attorneys, in this author’s opinion, this can be demonstrated in two ways:
First, by performing legal research and attending continuing legal education (CLE) courses oriented towards data privacy. Attorneys have access to a wide range of educational materials in this regard from their own states, other states, and other countries.
Second, by obtaining data privacy certifications. Attorneys can pursue certifications that prove their understanding of domestic and international data privacy laws, rules, and regulations.
Again, this list is not definitive. There are other ways to gain data privacy law competency, but these are two of the most common paths attorneys pursue.
Finally, cyber law attorneys that provide litigation services should have a combination of the skillsets mentioned above, along with litigation experience. As explained in the cyber law litigation section of this post, cyber law litigators have limited opportunities to persuade judges and jurors. To be effective, they must make complicated IT issues simple to understand in both written and oral delivery.
In conclusion, you now possess the knowledge of what a cyber law attorney is and why your business needs one. Furthermore, you have been provided with a data privacy and cybersecurity lifecycle that describes how your business can achieve security and data privacy compliance. Lastly, you also know what type of background and experience a cyber law attorney should possess.
If you are committed to securing your business, being compliant with data privacy laws, and not becoming the next security breach headline, The Law Office of Maes, Ltd. can help you achieve your goals.
Work with an Experienced Cyber Law Attorney that Knows IT
My name is Chris Maes and I am a Certified IT Engineer and an Experienced Litigator.
I possess industry leading certifications such as the following:
- Certified Information Systems Security Professional (CISSP)
- Amazon Web Services (AWS) Certified Solutions Architect (Professional)
- AWS Certified Security – Specialty
- Cisco Certified Networking Associate Routing & Switching (CCNA R&S)
These engineering certifications demonstrate a mastery of networking, cloud computing, and cybersecurity technologies. Click any of the certifications for third-party validation.
In addition to being a certified IT engineer, I have been an IT consultant to businesses for over a decade. I have hands on experience with every major technology utilized by businesses. These technologies include voice, networking, cloud, data center, cybersecurity, and managed services solutions.
Regarding data privacy, I publish the continuing legal education (CLE) and continuing professional education (CPE) courses I take to maintain competency. Click here to view these courses.
Finally, I have litigation experience in federal court. With my extensive background in IT, businesses can count on me to effectively communicate to judges and jurors why their legal position should prevail.