Davis Polk's New York Law Journal article: "Role of In-House Counsel in Cybersecurity Incident Response Planning" succinctly captures the important role of in-house counsel in three key cybersecurity incident preparation and response functions: (i) providing information and advice regarding the company’s legal and regulatory obligations, particularly with respect to breach notification; (ii) engaging and coordinating external resources, including outside counsel and consultants; and (iii) coordinating and managing internal and external communications and relations.
The article emphasizes the importance of in-house counsel:
- Understanding, on an ongoing basis (as regulatory schemes evolve), which regulators have jurisdiction and to what extent
- Participating in developing, practicing, testing, and updating an incident response plan
- Advising on privilege needs and protections
The firm also recommends in-house counsel remain meaningfully involved in: (i) virtually all internal and external communications - including internal response team communications, up-the-ladder reporting, communications with insurers, auditors, customers, regulators and the public - to mitigate risks such as information leaks, selective disclosure, and insider trading, as well as (ii) interactions with third parties whom the company may rely upon for cooperation, such as vendors, former employees, ISPs, and law enforcement authorities.
See also Baker Hostetler's "Cybersecurity Firms Issue Annual Threat Reports" and these associated reports from FireEye (access report here), IBM, and CrowdStrike, and additional information & resources on our Cybersecurity/Data Privacy page.
This post first appeared in the weekly Society Alert!