INSIGHT: Thinking of Hiring In-House Cyber Counsel? Here Are Some Tips

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Professor Robert Kang, Loyola Law School, Los Angeles

In boardrooms across the nation, there is one risk that stands above all others: cybersecurity. As an ever-evolving threat, companies and the legal profession must also evolve to meet it. In 2010 I started advocating for Southern California businesses and law schools to recognize “cyber law” as a legal practice. There was no interest. Today, however, with cybersecurity as a top business and legal priority, I successfully helped launch Southern California’s first cybersecurity and data privacy law school concentration, and a growing number of companies are looking to hire in-house cyber counsel. But while the demand for bringing this role in-house has increased, many companies don’t understand its nuances. Here are some tips that may help.

1. Understand the Difference Between “Privacy” and “Cyber” Counsel

Many people think that “privacy” and “cybersecurity” lawyers are one-and-the-same; thus if you hire one you also get the other. In fact, though there is overlap between the two practice areas, they are distinct in the same way that litigation and regulatory law may overlap, but are different. Recognizing this distinction will help you pick the right candidate for each role.

Privacy law dictates how companies may collect, store, use, and market personal information belonging to others. Want to know whether a particular law controls your ability to collect kids’ information from a new phone app? That’s a matter for privacy law. In contrast, cybersecurity law dictates how companies must keep all sensitive information (whether personal information or not)—as well as company systems, goods, and services – safe from bad actors. Need to know whether the Computer Fraud and Abuse Act applies to an ex-employee who stole company files by convincing a remaining employee to share passwords? Ask a cyber lawyer.

Many companies may want to hire a single person to assume both the privacy and cyber counsel roles for cost and other reasons. If so, it’s important to ask prospective candidates about their knowledge of both practice areas. Since privacy is the more established of the two areas, people generally know how to gauge a candidate’s privacy skills and knowledge. The same doesn’t hold true for cybersecurity. Questions like the ones below may help you assess a candidate’s cyber-related business, legal, and technical acumen:

2. Understand What Cyber Counsel Do

Many people ask: “What do cyber counsel do?” The exact role will differ from company to company. However, at a high level, two common goals predominate: (1) helping set up cyber risk management/compliance programs, and (2) advising (or leading) cyber incident response teams. In other words, a good cybersecurity attorney must be both proactive and reactive.

These goals sound simple, but they represent the tip of the iceberg. On the proactive side, common tasks include partnering with company stakeholders to:

  • develop and implement internal cyber risk management/compliance programs to reduce cyber and legal risk;
  • develop incident response plans to guide your company through a cyber incident;
  • revamp and negotiate vendor contracts to include cybersecurity terms that mitigate against supply chain cyber risks (see, for example, the Association of Corporate Counsel’s (ACC’s) Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information);
  • evaluate your company’s products and offerings for potential legal/business security-related risks; and
  • develop industry best practices and self-regulation with industry trade groups and other interested parties.

On the reactive side, common cyber counsel tasks include:

  • advising (or managing) incident response and investigation teams that respond to an actual or suspected cyber incident;
  • analyzing digital forensic reports and physical security investigative reports, and then summarizing that information into plain English for company leaders;
  • advising the company’s public relations personnel when issuing press releases and other public statements to minimize the risk of SEC violations and shareholder fraud claims;
  • determining whether any state or federal cyber laws/regulations apply to a particular incident; and
  • for publicly traded companies, advising senior leadership whether to close internal trading windows in response to a cyber incident.

These are a sampling of tasks that cyber counsel may deal with. As your company’s technology and security needs grow, so will this list.

3. Picking Cyber Counsel Requires Balancing Multiple Factors

If your company wants to hire a single person to fill both the privacy and cyber roles, consider whether your candidate possesses the following:

  • privacy knowledge and experience;
  • cybersecurity knowledge and experience;
  • in-house counsel experience, particularly in working with the business side to develop enterprise-wide cyber risk management/compliance programs;
  • an existing network of cyber practitioners (e.g., forensic investigators, law enforcement contacts, and even colleagues to “talk shop” with); and
  • the confidence to make snap decisions, and to persuade internal clients to stay after-hours to investigate incidents that the attorney (but not necessarily the client) believes may require immediate resolution.

The day may come when candidates possessing all of these traits exist in droves, but today is not that day. Until then, you and your company will need to prioritize your in-house counsel’s key traits based on your company’s needs. Also, consider setting a training and certification budget to provide your new hire with the knowledge, skills and networking contacts needed to fulfill both roles. (For additional information, see Robert Kang, It Takes a Village to Stop Cybercrime, ACC Docket (May 2018) pp. 78-79.) Finally, even if you and your company start with a single person to fill both privacy and cyber roles, consider creating dual positions as your company’s technology, privacy and cyber needs grow. For example, JP Morgan Chase & Co. started with privacy practitioners only, but now boasts separate privacy and cyber law teams. If your company grows, the work will be there.


Cybersecurity is a huge business and legal risk that grows ever bigger. For many years, companies have depended on outside counsel to meet their cyber law needs, but they now are starting to bring that talent in-house. If your company has decided to take the plunge to hire in-house cyber counsel, the foregoing information may help you find a worthwhile candidate. Good luck!


Robert Kang is an adjunct professor for technology and risk management at Loyola Law School, Los Angeles, where he played a leading role in creating Southern California’s first cybersecurity and data privacy law concentration. Robert is also in-house cyber counsel for a U.S. company, and a member of the Board of Directors for the Southern California chapter of the Association of Corporate Counsel. Resources referenced in this article are provided for educational purposes only. Contact Robert via email at

The views expressed in this article are those of the author and not necessarily those of the authors’ employers, including Loyola Law School, or Bloomberg Law.

Request Bloomberg Law: Privacy & Data Security