A spate of ransomware attacks and supply chain disruptions are forcing external and internal consultants to work more closely with IT departments to increase security and minimize the legal risks associated with such attacks.
Large-scale ransomware attacks drive conversations between IT departments and lawyers as executives see the headlines and recognize the potential cost of compromising the supply chain, said Mark McCreary, a Philadelphia-based co-chair of Fox’s privacy and data security practice Rothschild LLP.
“The in-house attorneys aren’t always that involved in IT decisions, but they are listening more and more and working more closely with the vendors,” said McCreary. “The legal departments are overwhelmed – no question about it – but they lean in and certainly pay more attention to IT.”
The practical interaction and collaboration between IT departments, in-house attorneys and law firm attorneys will only deepen as supply chain hits like the one against Kaseya Ltd. keep accelerating, added McCreary.
Communication between IT departments, in-house attorneys, and outside law firms is key to developing security and data compliance programs, but a strong relationship is perhaps even more important when an incident does materialize, said Melissa Krasnow, a privacy and cybersecurity officer Partner at VLP Law Group in Minneapolis.
“For a number of customers we ensure that we have the most up-to-date contacts both internally and with the law enforcement authorities,” said Krasnow. “IT and legal should work hand in hand to make sure everything is up to date and people know what to do in the event of a ransomware hack.”
That includes performing tabletop exercises to simulate violations, she added. Such simulations are important because they give a company an idea of potential loopholes, but lawyers should also work closely with IT teams to fill in the loopholes and implement new security procedures after the simulated exercises, Krasnow said.
Although IT and legal teams have traditionally worked together, high-profile hacks and an increasingly complex privacy landscape deepen the bonds and lead to more frequent communication between attorneys and security professionals, said Tom Zych, leader of the privacy and cybersecurity team at Thompson Hine LLP in Cleveland.
“I see the gratitude of the IT departments for their attention, whether that’s on the agenda or seeing an increased budget for necessary upgrades,” said Zych. “IT is relieved that people no longer see security as just an IT issue.”
IT departments and lawyers should work together to find incident response companies to turn to in the event of a breach or hack, and contract with them, said Erez Liebermann, co-chair of U.S. Data Solutions , Cyber and Privacy Practice at Linklaters LLP in New York.
However, companies can benefit from having these contracts signed only when an event occurs, as it increases the likelihood that such an agreement will be protected from legal proceedings by the privilege to work products, he said.
Management of third-party partners and vendors has recently come to the fore “primarily due to attacks on the message supply chain,” said Joseph Moreno, general counsel at SAP National Security Services in Herndon, Virginia.
Internal lawyers are increasingly recognizing the importance of adequate due diligence on the part of providers, as poor cyber hygiene can be a “weak point” for providers as well as in their own company, said Moreno.
“If the vendor needs to be connected to your network to some degree or get data from your company, you want IT to be part of that conversation,” said Moreno. “You want IT to be involved in order to minimize access to the essentials and, in the worst case, to be able to switch them off.”
Law firms, like other businesses, can also get involved in hacks, Zych said. An attack on file sharing company Accellion Inc. hit a number of law firms earlier this year, and customers are asking more and more questions about the security of the law firms they work with.
“Customers are getting better at managing their own risk, and with that I see a sharper perspective and control of vendors, including law firms,” said Zych.
It’s also important that IT departments provide input and attention to legal teams and that lawyers weigh some IT decisions, said Liebermann, who was formerly chief counsel at Prudential Financial Inc. But they should be viewed as a common team entity, not two competing interests, he said.
“Don’t just tick the box,” said Liebermann. “Let the lawyers and the information security teams sit together and really work together.”
And while time and budget constraints can be an obstacle, companies should realize that cyber is “far too critical” to take shortcuts, Moreno said.
“It’s a shame it took this type of attack to bring these issues to the fore,” Moreno said. “But it forces us all to take the issue seriously, namely that cyber is so important for the private sector and national security.”