September 19, 2018
By Professor Robert Kang, Loyola Law School, Los Angeles
In boardrooms across the nation, there is one risk that stands above all others: cybersecurity. As an ever-evolving threat, companies and the legal profession must also evolve to meet it. In 2010 I started advocating for Southern California businesses and law schools to recognize “cyber law” as a legal practice. There was no interest. Today, however, with cybersecurity as a top business and legal priority, I successfully helped launch Southern California’s first cybersecurity and data privacy law school concentration, and a growing number of companies are looking to hire in-house cyber counsel. But while the demand for bringing this role in-house has increased, many companies don’t understand its nuances. Here are some tips that may help.
Many people think that “privacy” and “cybersecurity” lawyers are one-and-the-same; thus if you hire one you also get the other. In fact, though there is overlap between the two practice areas, they are distinct in the same way that litigation and regulatory law may overlap, but are different. Recognizing this distinction will help you pick the right candidate for each role.
Privacy law dictates how companies may collect, store, use, and market personal information belonging to others. Want to know whether a particular law controls your ability to collect kids’ information from a new phone app? That’s a matter for privacy law. In contrast, cybersecurity law dictates how companies must keep all sensitive information (whether personal information or not)—as well as company systems, goods, and services – safe from bad actors. Need to know whether the Computer Fraud and Abuse Act applies to an ex-employee who stole company files by convincing a remaining employee to share passwords? Ask a cyber lawyer.
Many companies may want to hire a single person to assume both the privacy and cyber counsel roles for cost and other reasons. If so, it’s important to ask prospective candidates about their knowledge of both practice areas. Since privacy is the more established of the two areas, people generally know how to gauge a candidate’s privacy skills and knowledge. The same doesn’t hold true for cybersecurity. Questions like the ones below may help you assess a candidate’s cyber-related business, legal, and technical acumen:
Many people ask: “What do cyber counsel do?” The exact role will differ from company to company. However, at a high level, two common goals predominate: (1) helping set up cyber risk management/compliance programs, and (2) advising (or leading) cyber incident response teams. In other words, a good cybersecurity attorney must be both proactive and reactive.
These goals sound simple, but they represent the tip of the iceberg. On the proactive side, common tasks include partnering with company stakeholders to:
On the reactive side, common cyber counsel tasks include:
These are a sampling of tasks that cyber counsel may deal with. As your company’s technology and security needs grow, so will this list.
If your company wants to hire a single person to fill both the privacy and cyber roles, consider whether your candidate possesses the following:
The day may come when candidates possessing all of these traits exist in droves, but today is not that day. Until then, you and your company will need to prioritize your in-house counsel’s key traits based on your company’s needs. Also, consider setting a training and certification budget to provide your new hire with the knowledge, skills and networking contacts needed to fulfill both roles. (For additional information, see Robert Kang, It Takes a Village to Stop Cybercrime, ACC Docket (May 2018) pp. 78-79.) Finally, even if you and your company start with a single person to fill both privacy and cyber roles, consider creating dual positions as your company’s technology, privacy and cyber needs grow. For example, JP Morgan Chase & Co. started with privacy practitioners only, but now boasts separate privacy and cyber law teams. If your company grows, the work will be there.
Cybersecurity is a huge business and legal risk that grows ever bigger. For many years, companies have depended on outside counsel to meet their cyber law needs, but they now are starting to bring that talent in-house. If your company has decided to take the plunge to hire in-house cyber counsel, the foregoing information may help you find a worthwhile candidate. Good luck!
Robert Kang is an adjunct professor for technology and risk management at Loyola Law School, Los Angeles, where he played a leading role in creating Southern California’s first cybersecurity and data privacy law concentration. Robert is also in-house cyber counsel for a U.S. company, and a member of the Board of Directors for the Southern California chapter of the Association of Corporate Counsel. Resources referenced in this article are provided for educational purposes only. Contact Robert via email at email@example.com
The views expressed in this article are those of the author and not necessarily those of the authors’ employers, including Loyola Law School, or Bloomberg Law.