Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Professor Robert Kang, Loyola Law School, Los Angeles
In boardrooms across the nation, there is one risk that stands above all others: cybersecurity. As an ever-evolving threat, companies and the legal profession must also evolve to meet it. In 2010 I started advocating for Southern California businesses and law schools to recognize “cyber law” as a legal practice. There was no interest. Today, however, with cybersecurity as a top business and legal priority, I successfully helped launch Southern California’s first cybersecurity and data privacy law school concentration, and a growing number of companies are looking to hire in-house cyber counsel. But while the demand for bringing this role in-house has increased, many companies don’t understand its nuances. Here are some tips that may help.
Many people think that “privacy” and “cybersecurity” lawyers are one-and-the-same; thus if you hire one you also get the other. In fact, though there is overlap between the two practice areas, they are distinct in the same way that litigation and regulatory law may overlap, but are different. Recognizing this distinction will help you pick the right candidate for each role.
Privacy law dictates how companies may collect, store, use, and market personal information belonging to others. Want to know whether a particular law controls your ability to collect kids’ information from a new phone app? That’s a matter for privacy law. In contrast, cybersecurity law dictates how companies must keep all sensitive information (whether personal information or not)—as well as company systems, goods, and services – safe from bad actors. Need to know whether the Computer Fraud and Abuse Act applies to an ex-employee who stole company files by convincing a remaining employee to share passwords? Ask a cyber lawyer.
Many companies may want to hire a single person to assume both the privacy and cyber counsel roles for cost and other reasons. If so, it’s important to ask prospective candidates about their knowledge of both practice areas. Since privacy is the more established of the two areas, people generally know how to gauge a candidate’s privacy skills and knowledge. The same doesn’t hold true for cybersecurity. Questions like the ones below may help you assess a candidate’s cyber-related business, legal, and technical acumen:
Many people ask: “What do cyber counsel do?” The exact role will differ from company to company. However, at a high level, two common goals predominate: (1) helping set up cyber risk management/compliance programs, and (2) advising (or leading) cyber incident response teams. In other words, a good cybersecurity attorney must be both proactive and reactive.
These goals sound simple, but they represent the tip of the iceberg. On the proactive side, common tasks include partnering with company stakeholders to:
On the reactive side, common cyber counsel tasks include:
These are a sampling of tasks that cyber counsel may deal with. As your company’s technology and security needs grow, so will this list.
If your company wants to hire a single person to fill both the privacy and cyber roles, consider whether your candidate possesses the following:
The day may come when candidates possessing all of these traits exist in droves, but today is not that day. Until then, you and your company will need to prioritize your in-house counsel’s key traits based on your company’s needs. Also, consider setting a training and certification budget to provide your new hire with the knowledge, skills and networking contacts needed to fulfill both roles. (For additional information, see Robert Kang, It Takes a Village to Stop Cybercrime, ACC Docket (May 2018) pp. 78-79.) Finally, even if you and your company start with a single person to fill both privacy and cyber roles, consider creating dual positions as your company’s technology, privacy and cyber needs grow. For example, JP Morgan Chase & Co. started with privacy practitioners only, but now boasts separate privacy and cyber law teams. If your company grows, the work will be there.
Cybersecurity is a huge business and legal risk that grows ever bigger. For many years, companies have depended on outside counsel to meet their cyber law needs, but they now are starting to bring that talent in-house. If your company has decided to take the plunge to hire in-house cyber counsel, the foregoing information may help you find a worthwhile candidate. Good luck!
Robert Kang is an adjunct professor for technology and risk management at Loyola Law School, Los Angeles, where he played a leading role in creating Southern California’s first cybersecurity and data privacy law concentration. Robert is also in-house cyber counsel for a U.S. company, and a member of the Board of Directors for the Southern California chapter of the Association of Corporate Counsel. Resources referenced in this article are provided for educational purposes only. Contact Robert via email at firstname.lastname@example.org
The views expressed in this article are those of the author and not necessarily those of the authors’ employers, including Loyola Law School, or Bloomberg Law.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)