Ex-IBM Privacy Officer on Preparing for the Future of Cybersecurity
On a recent Friday morning in Manhattan, Hogan Lovells partner Harriet Pearson has just finished presenting at the firm's annual global client forum at the Harvard Club. The event is part of Pearsons new life as a firm attorney. She joined Hogan in June after almost two decades serving a single client: IBM, where in 2000 she became one of the first-ever chief privacy officers in the Fortune 500.
Pearson wasnt only IBMs CPO, but its security counsel, too. And while she believes the coming decade will be explosive in terms of privacy developments, her focus in the firms privacy and data security practice group will be on cybersecurityat a moment when the U.S. government and the corporate sector are starting to grapple ever-more-vocally with both the physical implications of cyber attacks and the legal implications of protecting against them.
And the challenge thereas I was talking to our seminar attendees todayis that what general counsel, what corporate counsel need to be doing right now is undefined. Theres so much uncertainty in the environment, she tells CorpCounsel.com, cloistered in a dark-paneled room in the neo-Georgian NYC landmark. But that will get defined. It will get defined in part by legal proceedings, by regulation, by people working together to make policy, and I wanted to be part of that in a broader way.
In other words, Pearson is bringing the expertise she honed at IBM to a bigger audience, starting with explaining the corporate lawyers role in a companys cybersecurity regimen. This fall for example, she counseled clients to respond to Senator Jay Rockefellers (D-West Virginia) letter to CEOs of the Fortune 500 regarding cybersecurity, which followed on the heels of a major cybersecurity legislative defeat.
The senators questions for big corporations in and of themselves werent hard to contend with, she says. Though she does call Rockefellers efforts to solicit feedback from the countrys top chief executives unprecedented in Washingtonand that should be a sign to the corporate world.
If its serious enough for a senator to write to you, then its serious enough to have an action agenda and a plan to manage your companys participation, she says.
General counsel have an important role to play in evaluating the legal, reputational, and operational risks for a companys cybersecurity, says Pearson. Here, she shares with us some key recommendations:
Assess and Strategize
The GC, of course, isnt the chief information officer or the IT security directorso they wont be driving IT projects. But GCs do have a responsibility to make sure that the company is meeting its fiduciary standard of care. In the cybersecurity realm, that translates to running a risk assessment, helping guide the companys strategy, and documenting that plan.
The most foundational thing they can do is ensure that the company has a view of all of the different risksnot just Do we have a hack happening? but really, What regulations are we under, what do our contracts say, what do our SEC filings say? Pearson explains. What does a company of our stature, in our industry, at this point in timewhat are we really expected to do?
Provide Ongoing Counsel
As the company executes its cybersecurity plan, additional legal issues will arise, requiring counsel from both in-house and outside attorneys. Some of those issues could include proper documentation in public filings, as well as compliance with state data-breach regulations.
In the event of a corporate cybersecurity incident, Pearson also raises the challenging question of when to assert attorney-client privilege. You dont really want to assert the privilege over-broadly, because it wont work, and because it will actually limit the ability of your organization to respond well, she says. So you want to be very strategic and thoughtful about when you assert it.
Another issue corporations are grappling with is to what extent they can monitor an employees personal electronic devices that, in turn, get hooked up to company systems. How intimate can you be with your employees activities, as a result of trying to protect your own company and ramping up? Pearson asks. Thats a leading edge question.
Be Prepared for Incidents
Digital break-ins are inevitable, and companies need to be prepared to respond in a credible, thoughtful, and protective manner, says Pearson. A response teamwhich should include a lawyershould be equipped with the proper training and the proper tools.
Counsels role, whether its inside or outside, is to help ask the right questions, make sure the teams that are responding to incidents are prepared, and act in accordance with whats expected of the company, Pearson says.
Ultimately, either a chief executive or a board director will ask if the company is doing enough about cybersecurity, says Pearson. And when they ask that question, I think counsel is in the single best position to help answer it.