As the company executes its cybersecurity plan, additional legal issues will arise, requiring counsel from both in-house and outside attorneys. Some of those issues could include proper documentation in public filings, as well as compliance with state data-breach regulations.
In the event of a corporate cybersecurity incident, Pearson also raises the challenging question of when to assert attorney-client privilege. "You don't really want to assert the privilege over-broadly, because it won't work, and because it will actually limit the ability of your organization to respond well," she said. "So you want to be very strategic and thoughtful about when you assert it."
Another issue corporations are grappling with is to what extent they can monitor an employee's personal electronic devices that, in turn, get hooked up to company systems. "How intimate can you be with your employee's activities, as a result of trying to protect your own company and ramping up?" Pearson asks. "That's a leading edge question."
Be Prepared for Incidents
Digital break-ins are inevitable, and companies need to be prepared to respond in a "credible, thoughtful, and protective manner," said Pearson. A response team, which should include a lawyer, should be equipped with the proper training and the proper tools.
"Counsel's role, whether it's inside or outside, is to help ask the right questions, make sure the teams that are responding to incidents are prepared, and act in accordance with what's expected of the company," Pearson said.
Ultimately, either a chief executive or a board director will ask if the company is doing enough about cybersecurity, said Pearson. "And when they ask that question, I think counsel is in the single best position to help answer it."
Catherine Dunn reports for Corporate Counsel, an ALM affiliate of the Daily Business Review.