Law firms set up cyber specialties as attacks grow

Harriet Pearson

Harriet Pearson

Data breaches might look like fodder for headline news or primetime television, but lawyers warn that the legal drama that can unfold following an errant keystroke is real and increasingly common.

When it comes to tracked data breaches, the United States hit an all-time high last year with 1,093 reported breaches. This is a nearly 40 percent increase from 780 documented cases the previous year, according to a study released in January by Identity Theft Resource Center in San Diego and CyberScout in Scottsdale, Arizona.

As more and more individuals and businesses fall victim to violations of cybersecurity —from losing a computer containing confidential information to downloading a crippling virus — some law firms have expanded their practices to create cybersecurity specialties, while others have reported an increase in computer-related business.

“Law firms are always scanning the horizon, and cybersecurity is not only a Goliath, but it is a Goliath that is never going away,” said Sharon D. Nelson, the president of Sensei Enterprises Inc. in Fairfax, Virginia, and a member of the American Bar Association’s Law Practice Division. “We are here to stay in the digital world, and data is black gold. Data is the new oil, and having seen that, law firms are very responsive.”

David Turetsky

David Turetsky

Saul Ewing LLP Partner Alexander Bilus is co-chair of the Baltimore-based firm’s cybersecurity and privacy practice group, composed of about 41 lawyers from the large firm’s various practice areas. His practice group has grown in the past year as sundry cybersecurity scandals dominated the news, from allegations over Hillary Clinton’s email server to Russian hackers interfering with the election.

As evidence of demand for cybersecurity lawyers, April Doss, who was chair of Saul Ewing’s cybersecurity and privacy practice group and helped launch it about a year ago, recently left the firm to work on the Senate Intelligence Committee’s probe into Russia’s interference in the 2016 election.

“I think that certain people who are paying attention (to cybersecurity news) are starting to think how can I protect myself, my business, my family from that,” said Bilus, who works in Saul Ewing’s Philadelphia office. “Many companies have hired cybersecurity staff to manage threats as they’ve become more aware of technology’s weaknesses. I don’t know that the country as a whole is there yet.”

Rockville, Maryland-based attorney Michael S. Rothman, who has worked on computer-related cases for more than 10 years, said that educating the public is critical: Many don’t know how to identify a potential cybersecurity threat or understand why it’s important to hire a lawyer who specializes in the field to deal with a breach.

Working with small firms

Unlike Bilus, Rothman said that his work is on a smaller scale: He’s defended those charged with internet crimes, has performed threat assessments for small firms, and helped them after an employee has made off with a customer list, or after someone has installed keystroke logging software on a client computer.

“There are more cyberattacks on individuals and small firms now than ever before,” he said.

Rothman said that there is no real way of stopping breaches from happening as long as human error exists. The volume of such crimes is so high that understaffed police and prosecutors rarely pursue charges unless they’ve been handed an abundance of evidence, he said.

“This is like trying to hold back the ocean with a teaspoon. There would never be enough resources to prevent people from getting scammed, or from committing online crimes,” he said. “The only thing you can do to improve the situation is to make people more aware of what a scam looks like.”

Firms also are seeing an increase in privacy lawsuits and clients that need trained data breach or privacy lawyers to oversee them.

“It is a much-needed service,” Nelson said. “With the larger firms in particular, they want people to have one-stop shopping, and if they don’t have people in these fields they are not offering one-stop shopping. If their clients get breached it is a very expensive proposition. One part of that is legal fees, so of course they would like those legal fees to adhere to them.”

On the ground floor

Harriet Pearson began working in cybersecurity before it was even a term. This was in 1996 and Pearson served as IBM’s vice president, security counsel and chief privacy officer. Later, when she left to work on legal data privacy cases at a private law firm, people asked her if she really thought there was enough work in the field.

“I can say after five years of focusing my law firm practice on it, there is a growing interest and demand from companies of all types for assistance on planning for, reducing the risks of and responding to the undeniable reality that there are more cybersecurity vulnerabilities and threats out there that have to be addressed,” said Pearson, now a partner in Hogan Lovells’ global privacy and cybersecurity practice group in Washington.

Nearly every state has data notification laws regarding breaches. National Cyber Security Alliance Executive Director Michael Kaiser said having a knowledgeable lawyer can help businesses and organizations better understand their legal responsibilities.

“(It is good) having legal advice, certainly if (an attack) happens but preferable in advance of it happening so that you know what your legal requirements are if you were to lose data would be something most businesses are starting to understand they need to pay attention to,” he said.

Who to recruit

Law firms are moving in two directions, said David Turetsky, partner at the Washington-based Akin Gump LLP and a member of the ABA’s Cybersecurity Legal Task Force.

“More are trying to do what we’ve done at Akin Gump — recruit new talent when appropriate and recognize that cybersecurity can and should be a true cross-practice initiative that draws on and further develops lawyers with cyber-relevant skill sets from elsewhere in the firm,” he said.

Akin Gump draws on lawyers who are experts in HIPAA to raise important cybersecurity and privacy issues as well as government contract lawyers who have an understanding of the federal government’s evolving cybersecurity-related procurement rules.

To provide the best service possible, Turetsky believes it is beneficial for law firms to cultivate ties and relationships with various kinds of technical, forensic and consulting firms and experts “to ensure that clients have access to a comprehensive suite of services that can anticipate and address the full range of cybersecurity needs they may encounter.”

Go to Source