Panelists at Legalweek explained that cyber-threats may be more complex than ever, but tackling them begins with some common organizational mantras: awareness and communication
NEW YORK 鈥 The cybersecurity landscape is seemingly changing by the day. There are new regulations to follow, everywhere from the United States and the European Union to Chile and Australia. New cyber-threats and increasingly sophisticated attacks put pressure on businesses and firms to beef up their cyber capabilities, and all of this occurs against the backdrop of a global business landscape that promises both economic and political challenges.
How can lawyers and IT personnel keep up with the cyber-threat onslaught? It starts with a simple mantra: Nail the basics.
At the Navigating the Cyber Threat Terrain: Cybersecurity, Privacy and Legal Sector Focus panel during this week in New York City, cyber-attorneys and experts from companies and law firms assembled to give their advice and experience on how to keep up with emerging threats.
Always aware of everything
One of the biggest challenges, the panel noted, is simply staying aware of the mass of cybersecurity and privacy rules and regulations, particularly for organizations that operate on a global scale. Panel moderator Manny Sahota, Director for Global Cloud Privacy, Regulatory Risk & Compliance at Microsoft, noted that while everyone may have focused on rules coming out of the EU and US recently, simultaneously, Chile updated its security regulations for the first time since 1999.
Even once the legal and IT teams are able to understand the situation, however, there remains the issue of getting others in the organization to care.
It’s a lot to follow but also next to impossible to predict, agreed Daniel Ostrach, Senior Corporate Counsel at Microsoft. 鈥淥ne of the hardest things for us to do is anticipate the way that regulators are thinking 鈥 but we can鈥檛 run our business based on yesterday鈥檚 regulation,鈥 he explained. However, in today鈥檚 climate, just following the regulation 鈥渋s the bare minimum, that鈥檚 table stakes.鈥
Sabrina Ceccarelli, Global Vice President and Assistant General Counsel of Commercial at Lightspeed Commerce, gave the example of one recent privacy regulation: Quebec鈥檚 Law25, which is more similar to the EU鈥檚 General Data Protection Regulation (GDPR) than other Canadian privacy laws. Without enough privacy staff to keep up, her team turned to the privacy resources they did have: 鈥淲e do as much rinse and repeat as we can.鈥 They looked at areas such as training in which they already had pre-established guidance, then updated rather than reinventing the wheel.
Even once the legal and IT teams are able to understand the situation, however, there remains the issue of getting others in the organization to care. Joseph Lee, Director for Information Security & Compliance at law firm Arnold & Porter, said that his most effective method is simple: 鈥淏ombard people over and over and over.鈥 Constant reminders and messaging from multiple sources such as town halls helps people realize that cybersecurity is not a set-it-and-forget-it proposition, Lee said. 鈥淚f you just do an annual training, it鈥檚 not bad, you check a box, but that doesn鈥檛 keep it top of mind.鈥
From the technology standpoint, Rachi Messing, Co-Founder of startup Altorney, also noted that legal has an opportunity to work with engineering to make sure privacy and security is evident in everything they do. For instance, Messing noted that every development ticket or feature request at the company has a mandatory security and privacy analysis. That analysis is 鈥渘ot just a check box,鈥 he said, but forces tech teams to think through potential impacts and why they occur. 鈥淭hat really does force a focus in the culture of, How are we focusing on security? How are we focusing on privacy in everything that we do? Otherwise, that鈥檚 how you find yourself on the front page of The New York Times.鈥
Cyber Dungeons & Dragons
Once the awareness has been achieved, then it falls on the legal, IT, and other security and privacy-related teams to execute. Once upon a time, those teams might have all been separate entities, the panel noted, but Messing added: 鈥淭he truth is, in today鈥檚 world, there really can鈥檛 be a gap.鈥
At his startup, Messing said he and his co-founders did not have the ability for a formal chief information security officer (CISO) or privacy team. However, they picked outside counsel based explicitly on the firm鈥檚 ability to support the company around security, advise on privacy, and then work with the company鈥檚 engineers. 鈥淲orking together there is the only way that a company is going to be able to succeed,鈥 Messing explained. 鈥淚f the two sides are feuding with one another鈥 you鈥檙e never going to be able to survive in today鈥檚 world.鈥
Lightspeed鈥檚 Ceccarelli agreed, noting that the role of the corporate lawyer has changed. She says her legal team鈥檚 mantra last year was 鈥We鈥檙e building GCs,鈥 noting that for many corporate attorneys, the GC chair is their ultimate goal. However, implicit in that is that 鈥渘one of us can call ourselves an excellent tech lawyer if we don鈥檛 understand privacy.鈥 As a result, her team created knowledge-sharing exercises with continuous updates, which created some ownership and accountability for the legal department to work with the whole enterprise. 鈥淟egal counsel can鈥檛 just be doing contracts anymore,鈥 she said. 鈥淲e need to be more than that.鈥
The panel cautioned to make sure that not only is everybody speaking to one another 鈥 especially the lawyers 鈥 but they are speaking the same language when making these plans.
One way to make sure the organization comes together is through tabletop exercise, the panel suggested. Lee admitted that 鈥渢he tabletop exercise may seem like a corporate Dungeons & Dragons sort of thing,鈥 but added that it鈥檚 really important to go through potential risky scenarios. 鈥淚f you don鈥檛 have a plan of action, I make an analogy like it鈥檚 a kids鈥 soccer game, everybody is just going towards the ball,鈥 he explained. Tabletop exercise helps answer some basic questions: Who鈥檚 doing negotiations? Who鈥檚 going to the insurance carrier? Who鈥檚 doing communications, and how much?
From there, Ceccarelli suggested making a formal playbook, to make the process memorable and repeatable. The playbook should include engineering and IT, certainly, but it also gives the legal team a seat at the table to help guard against risk and potential worst-case scenarios. 鈥淏y doing that, you can proceed rather quickly but also mitigating any possible damages from the incident that has occurred,鈥 she added.
Finally, the panel cautioned to make sure that not only is everybody speaking to one another 鈥 especially the lawyers 鈥 but they are speaking the same language when making these plans. Microsoft鈥檚 Ostrach gave the example of a three-page legal memo that might give all of the relevant information on a new regulation but would never be read by engineers 鈥渟o it鈥檚 worthless.鈥 In addition to being a lawyer, today鈥檚 counsel need to be 鈥渁n old-timey phone connector,鈥 making sure that everybody is communicating with one another.
And that goes both ways, Lee of Arnold & Porter added. 鈥淚f you鈥檙e in IT and you鈥檙e not regularly talking to your general counsel, you should.鈥 Perhaps the best thing that all parties can do when it comes to privacy and security is a simple trick, he added: 鈥淏e proactive in terms of having those conversations.鈥
