Panelists at Legalweek explained that cyber-threats may be more complex than ever, but tackling them begins with some common organizational mantras: awareness and communication
NEW YORK — The cybersecurity landscape is seemingly changing by the day. There are new regulations to follow, everywhere from the United States and the European Union to Chile and Australia. New cyber-threats and increasingly sophisticated attacks put pressure on businesses and firms to beef up their cyber capabilities, and all of this occurs against the backdrop of a global business landscape that promises both economic and political challenges.
How can lawyers and IT personnel keep up with the cyber-threat onslaught? It starts with a simple mantra: Nail the basics.
At the Navigating the Cyber Threat Terrain: Cybersecurity, Privacy and Legal Sector Focus panel during the Legalweek conference this week in New York City, cyber-attorneys and experts from companies and law firms assembled to give their advice and experience on how to keep up with emerging threats.
Always aware of everything
One of the biggest challenges, the panel noted, is simply staying aware of the mass of cybersecurity and privacy rules and regulations, particularly for organizations that operate on a global scale. Panel moderator Manny Sahota, Director for Global Cloud Privacy, Regulatory Risk & Compliance at Microsoft, noted that while everyone may have focused on rules coming out of the EU and US recently, simultaneously, Chile updated its security regulations for the first time since 1999.
Even once the legal and IT teams are able to understand the situation, however, there remains the issue of getting others in the organization to care.
It’s a lot to follow but also next to impossible to predict, agreed Daniel Ostrach, Senior Corporate Counsel at Microsoft. “One of the hardest things for us to do is anticipate the way that regulators are thinking — but we can’t run our business based on yesterday’s regulation,” he explained. However, in today’s climate, just following the regulation “is the bare minimum, that’s table stakes.”
Sabrina Ceccarelli, Global Vice President and Assistant General Counsel of Commercial at Lightspeed Commerce, gave the example of one recent privacy regulation: Quebec’s Law25, which is more similar to the EU’s General Data Protection Regulation (GDPR) than other Canadian privacy laws. Without enough privacy staff to keep up, her team turned to the privacy resources they did have: “We do as much rinse and repeat as we can.” They looked at areas such as training in which they already had pre-established guidance, then updated rather than reinventing the wheel.
Even once the legal and IT teams are able to understand the situation, however, there remains the issue of getting others in the organization to care. Joseph Lee, Director for Information Security & Compliance at law firm Arnold & Porter, said that his most effective method is simple: “Bombard people over and over and over.” Constant reminders and messaging from multiple sources such as town halls helps people realize that cybersecurity is not a set-it-and-forget-it proposition, Lee said. “If you just do an annual training, it’s not bad, you check a box, but that doesn’t keep it top of mind.”
From the technology standpoint, Rachi Messing, Co-Founder of startup Altorney, also noted that legal has an opportunity to work with engineering to make sure privacy and security is evident in everything they do. For instance, Messing noted that every development ticket or feature request at the company has a mandatory security and privacy analysis. That analysis is “not just a check box,” he said, but forces tech teams to think through potential impacts and why they occur. “That really does force a focus in the culture of, How are we focusing on security? How are we focusing on privacy in everything that we do? Otherwise, that’s how you find yourself on the front page of The New York Times.”
Cyber Dungeons & Dragons
Once the awareness has been achieved, then it falls on the legal, IT, and other security and privacy-related teams to execute. Once upon a time, those teams might have all been separate entities, the panel noted, but Messing added: “The truth is, in today’s world, there really can’t be a gap.”
At his startup, Messing said he and his co-founders did not have the ability for a formal chief information security officer (CISO) or privacy team. However, they picked outside counsel based explicitly on the firm’s ability to support the company around security, advise on privacy, and then work with the company’s engineers. “Working together there is the only way that a company is going to be able to succeed,” Messing explained. “If the two sides are feuding with one another… you’re never going to be able to survive in today’s world.”
Lightspeed’s Ceccarelli agreed, noting that the role of the corporate lawyer has changed. She says her legal team’s mantra last year was “We’re building GCs,” noting that for many corporate attorneys, the GC chair is their ultimate goal. However, implicit in that is that “none of us can call ourselves an excellent tech lawyer if we don’t understand privacy.” As a result, her team created knowledge-sharing exercises with continuous updates, which created some ownership and accountability for the legal department to work with the whole enterprise. “Legal counsel can’t just be doing contracts anymore,” she said. “We need to be more than that.”
The panel cautioned to make sure that not only is everybody speaking to one another — especially the lawyers — but they are speaking the same language when making these plans.
One way to make sure the organization comes together is through tabletop exercise, the panel suggested. Lee admitted that “the tabletop exercise may seem like a corporate Dungeons & Dragons sort of thing,” but added that it’s really important to go through potential risky scenarios. “If you don’t have a plan of action, I make an analogy like it’s a kids’ soccer game, everybody is just going towards the ball,” he explained. Tabletop exercise helps answer some basic questions: Who’s doing negotiations? Who’s going to the insurance carrier? Who’s doing communications, and how much?
From there, Ceccarelli suggested making a formal playbook, to make the process memorable and repeatable. The playbook should include engineering and IT, certainly, but it also gives the legal team a seat at the table to help guard against risk and potential worst-case scenarios. “By doing that, you can proceed rather quickly but also mitigating any possible damages from the incident that has occurred,” she added.
Finally, the panel cautioned to make sure that not only is everybody speaking to one another — especially the lawyers — but they are speaking the same language when making these plans. Microsoft’s Ostrach gave the example of a three-page legal memo that might give all of the relevant information on a new regulation but would never be read by engineers “so it’s worthless.” In addition to being a lawyer, today’s counsel need to be “an old-timey phone connector,” making sure that everybody is communicating with one another.
And that goes both ways, Lee of Arnold & Porter added. “If you’re in IT and you’re not regularly talking to your general counsel, you should.” Perhaps the best thing that all parties can do when it comes to privacy and security is a simple trick, he added: “Be proactive in terms of having those conversations.”