There are now more operational devices in the world than people, and each device is a potential way in to your systems for hackers, whether they are government spies, commercial cheats, or just vandals. It’s as if your house suddenly has not just a back door and a front door but ten more new doors, with people you don’t even recognise coming and going all day and all night.
When lawyers advise on cybersecurity, they’re not focussing on the IT aspects like making sure you have a good password or that you remember to shield your screen. Instead, we focus on how to reduce legal risk, and what your obligations, liabilities and rights are. Organisations must have a framework for how they deal with both attempted and successful cyber-attacks.
To add to the complexity, globalisation of commerce means that you are probably now dealing internationally, and since some countries have stricter regimes than Britain, you might be exposed, not just to the usual fines or disqualifications if you get cybersecurity wrong, but even criminal sanctions. For example, China has a strict state secrecy regime. If you don’t handle information properly, you might be accused of criminal breach, so it is worth getting advice that relates to each jurisdiction.
Types of cybersecurity threats include ransomware, malware, the stupidly-named “social engineering,” phishing, and others. Lawyers would typically look at risk from a holistic viewpoint, and so the relevant lawyer might be an expert in data privacy, or financial services regulatory, or corporate crime and investigations, or employment; they might not even be a UK lawyer.
There are effectively three main types of cybersecurity advice:
1. Risk management
Planning for cyber risk reduces the likelihood of a problem occurring in the first place. Lawyers can help with regulatory compliance, drafting policies and procedures for your employees, contractor vetting, contract review, data protection compliance and policies.
Cybersecurity issues also affect other fields of legal advice, such as mergers and acquisitions, joint ventures, projects, outsourcing and cooperation contracts.
This includes, for example, ensuring cybersecurity is part of due diligence and contractual negotiations in a transaction and, in relation to projects, ensuring that the contractual framework put in place reinforces security by design.
3. Crisis management
When there has been an incident, lawyers investigate and coordinate the response in conjunction with internal or third party technical incident response teams. In some cases we would work with both PR consultants and IT professionals. Lawyers cannot and should not handle these incidents by themselves, but then it is equally important not to let IT or PR people act by themselves, as they can inadvertently become risk centres themselves.
Lawyers advise on and manage regulatory notifications and reporting, liaising with data protection authorities and with law enforcement as appropriate, as well as managing communications with affected third parties and the media. This reduces the risk of litigation.
Well-run companies are fully aware of the importance of good advice in all aspects of cybersecurity, and we are proud to have worked with our clients and service providers in many sectors in all of the above disciplines, including, more recently, legal issues arising from use of the cloud in multiple jurisdictions.