Hogan Lovells partner Harriet Pearson has just finished a presentation at the firm's annual global client forum at the Harvard Club in New York.
The event is part of Pearson's new life as a firm attorney. She joined Hogan in June after almost two decades serving a single client, IBM, where in 2000 she became one of the first-ever chief privacy officers in the Fortune 500. Pearson wasn't only IBM's CPO but its security counsel, too.
While she believes the coming decade will be "explosive" in terms of privacy developments, her focus in the firm's privacy and data security practice group will be on cybersecurity at a moment when the U.S. government and the corporate sector are starting to grapple ever more vocally with both the physical implications of cyber attacks and the legal implications of protecting against them.
"And the challenge there ... is that what general counsel, what corporate counsel need to be doing right now is undefined. There's so much uncertainty in the environment," she said in an interview. "But that will get defined. It will get defined in part by legal proceedings, by regulation, by people working together to make policy, and I wanted to be part of that in a broader way."
In other words, Pearson is bringing the expertise she honed at IBM to a bigger audience, starting with explaining the corporate lawyer's role in a company's cybersecurity regimen. This fall for example, she counseled clients to respond to Democratic U.S. Senator Jay Rockefeller's letter to CEOs of the Fortune 500 regarding cybersecurity, which followed on the heels of a major cybersecurity legislative defeat.
The West Virginia senator's questions for big corporations in and of themselves weren't hard to contend with, she said. Though she does call Rockefeller's efforts to solicit feedback from the country's top chief executives "unprecedented" in Washington and that should be a sign to the corporate world.
"If it's serious enough for a senator to write to you, then it's serious enough to have an action agenda and a plan to manage your company's participation," she said.
General counsel have an important role to play in evaluating the legal, reputational, and operational risks for a company's cybersecurity, said Pearson. Here, she shares with us some key recommendations:
Assess and Strategize
The GC, of course, isn't the chief information officer or the IT security director so they won't be driving IT projects. But GCs do have a responsibility to make sure that the company is meeting its fiduciary standard of care. In the cybersecurity realm, that translates to running a risk assessment, helping guide the company's strategy, and documenting that plan.
"The most foundational thing they can do is ensure that the company has a view of all of the different risks not just 'Do we have a hack happening?' but really, What regulations are we under, what do our contracts say, what do our SEC filings say?" Pearson explains. "What does a company of our stature, in our industry, at this point in time what are we really expected to do?"