Hogan Lovells partner Harriet Pearson has authored an article in Bloomberg BNA’s Privacy and Security Law Report. In “Cybersecurity: the Corporate Counsel’s Agenda” she describes why cybersecurity has become the biggest concern of general counsel and corporate board members. She then lays out a ten-point agenda for corporate counsel to help their companies manage cybersecurity risk.
The article frames the lawyer’s role in the larger context:
Companies can and should take a range of actions in advance of a cyber-incident. The business rationale for doing so is clear; an effective program that adjusts to address new risks is a must to protect against data loss, intellectual property theft, and operational disruption. And the presence of an effective cybersecurity program is likely required or expected by regulators or other key constituents (such as investors)—or shortly will be. No doubt, much of the needed work inside companies will be done by Information Technology (IT) Security and related technical and business personnel. But particularly because the environment is dynamic—and the standard of care not well understood—the role of counsel is vital and strategic.
In light of these growing cybersecurity concerns, the article presents a ten-point agenda for corporate counsel. One key recommendation is for corporate counsel to help their clients assess cybersecurity risk, develop a strategy, and document the resulting plan for managing that risk. The article also highlights the need to review and manage public company disclosures regarding cyber risks. And the article points to the recent update to the ABA Model Rules of Professional Conduct regarding counsel’s ethical duty to protect client information in today’s riskier “digital world.”
The article concludes:
The cybersecurity challenge is complex and dynamic, especially because there is a powerful upside to the continued embrace of digitization and connectivity. Intensifying cyber-threats and an active legislative, regulatory, and standards-setting environment mean that the organizational, IT, and data security measures that were reasonable and prudent in the recent past are unlikely to suffice today and certainly will not meet expectations in the future.
Alongside other efforts by senior leaders in government and industry, corporate counsel should satisfy themselves that their company’s enterprise risk management strategy is informed by a 360-degree view of the risk that includes the legal and policy landscape. They should review and help refine corporate and legal action plans so that such plans emphasize governance, prevention, and preparedness, and are multidisciplinary and sustainable. They should be a model of contemporary security-conscious behavior. Finally, to understand and potentially influence evolving standards care in this area, they should monitor and consider strategic involvement in the policy and standards arena.