Editor’s Note: This piece is part of a combined series between The Law Journal and its Philadelphia-based sister paper, The Legal Intelligencer, exploring the cybersecurity needs of law firms. Read more articles here.
William Hughes recalls being at a client’s office at 3 a.m.—in the midst of responding to an ongoing cyberattack—when they discovered that the hackers learned of law enforcement’s involvement by infiltrating an employee device.
“It was scary,” said Hughes, a former federal prosecutor who heads the cyber risk management practice at Cooper Levenson April Niedelman & Wagenheim in Atlantic City, N.J. “Their knowledge of not just our client, but the investigation, was mind-boggling. … It is something out of the movies,” Hughes said of the breach, perpetrated about two years ago on a provider of cloud-based services he declined to identify. “It just opens up a whole Pandora’s Box of issues.”
Those issues commonly require a lawyer’s involvement, and firms that developed specialized practices in advance of last year’s barrage of data breach headlines said they’re feeling the increase in demand for cybersecurity counsel.
The risks appear to be more than reputational: one lawyer cited the average cost of a breach, per record compromised, at $30; another, at $200.
“There’s certainly been a growth in this [practice] area at every level,” but many companies, especially in unregulated industries, are “not so much focused on this,” said Fernando Pinguelo, chair of the cybersecurity and data protection practice at Scarinci & Hollenbeck’s Ocean, N.J. office.
“It’s unfortunate because there are simple steps that can be taken to line up the right people,” Pinguelo added. “Businesses need to do more than just talk about this. … They want to be able to pick up the phone and get a human being who is able to orchestrate what their next steps are.”
The first of those steps is to assemble a team of experts equipped to deal with a breach in fields such as forensics, investigation and public relations, firms said.
“As a lawyer, I typically serve as the quarterback coordinating a multidisciplinary group of professionals,” Pinguelo said.
Scott Christie, a partner in Newark-based McCarter & English’s cybersecurity and data privacy practice, said, “That’s why the lawyer who’s coordinating that needs to walk the walk and talk the talk. … It’s vital for an attorney who professes to do cybersecurity work have not only the legal background, but the technical background.”
Also, the privilege-related benefits of a lawyer leading the response team were pointed up by numerous firms.
Christie agreed that demand for cybersecurity services—”driven by the fear of bad consequences”—is high.
A decade ago, “companies would be interested” in data security, “but they’d have so many other demands on their limited resources, it was not necessarily a priority for them,” according to Christie, who previously led the Computer Hacking and Intellectual Property Section at the U.S. Attorney’s Office in New Jersey. “[Now] people are much more aware and willing to spend the money.”
Leading a breach response is only one facet. Cybersecurity practitioners can, directly or via consultants, develop comprehensive breach-response plans, draft written policies, help train employees, provide penetration testing, update policies based on changes in the law, or coordinate victim or law enforcement notification in the event of a cyberattack.
And with a federal data security law in the works but not yet passed, there’s a web of at least 47 state laws with which to contend, lawyers said.
Companies, at some point, can “walk on their own,” but “first you’ve got to know” what data is being stored, where it’s being stored, how long it must be stored, as well as the most efficient way to secure it, Christie said. “When you get that under control … they can do more of it in-house.”
Lawyers pointed out that the majority of these services are provided well before any cyberattack.
“You need to deal with the breach before it occurs—you want to have that plan in place,” said Angelo Stio III, of the Princeton, N.J., office of Philadelphia-based Pepper Hamilton. Stio is part of the firm’s privacy, security and data protection group, as well as its data breach response team. “You want to set things in motion internally and externally. Externally, who’s your lawyer? Who’s forensics? Is there an insurance carrier involved?”
The hack handled two years ago by Cooper Levenson was a “zero-day attack”—one that exploits a software or system flaw that had not been previously detected. A network of hackers in the U.S., Europe and Russia participated, and the personal information thieved by such an attack might fetch six figures on the black market, according to Hughes, who previously was in the computers and finance section of the U.S. Department of Justice’s Antitrust Division and, after that, at the U.S. Attorney’s Office for the District of New Jersey.
Typically, “they’re not people who are my age,” Hughes, 48, said. “These are kids who do nothing but sit at a computer all day, who know coding inside and out.”
Still, some companies’ infrastructures are no match, Hughes and two associates in the practice group said.
“There’s completely unrealistic expectations on what IT departments can do,” said one, Peter Yu, also a former Justice Department attorney. “The expectation is that those IT folks, who have no training in cybersecurity, secure the system against highly, highly sophisticated hackers.”
Michael Salad, another associate in the group, added that while some IT staffers have security training, outside consultants can offer vulnerability and protection testing. “Some of the most sophisticated clients will find several dozen places where they can improve.”
The trouble isn’t over once a breach is addressed and reported, they pointed out: nonlaw enforcement agencies may come calling.
“Once a company gets on a radar screen in one area, there is a risk they become subject to scrutiny in other areas as well,” Hughes said.
Sandra Jeskie—who leads the Philadelphia-based Duane Morris’ information technologies and telecommunications group and is former president of the International Technology Law Association—noted that a breach isn’t always a hacker’s doing.
“The thing that … just doesn’t get as much press as it should, and should be more focused on in corporations, [is] the inadvertent disclosures,” Jeskie said, adding that even a lost laptop or a mistakenly addressed email can trigger a legal reporting requirement.
Gregory Parks, co-head of the privacy and cybersecurity practice at Morgan, Lewis & Bockius in Philadelphia, a litigator by training, said he now devotes most of his time to his cybersecurity practice. A total of about 85 lawyers firm-wide are handling such matters to one degree or another, he said.
Last year’s data-breach headlines prompted an uptick in calls from clients, Parks added.
“It is absolutely a constantly evolving thing,” he said. “This is something that every company needs to work on constantly, all the time. You can never say, ‘OK, we are done with cybersecurity.’”
Developing a Cybersecurity Practice
Launching a cybersecurity practice requires significant groundwork. Some lawyers went as far as saying that it’s simpler for a technology professional to learn the law than it is for a lawyer to learn technology.
When e-discovery rules in New Jersey and elsewhere were in flux in 2006, that was “a unique opportunity to delve into these issues deeper,” according to Pinguelo, who said addressing technical issues in litigation and non-litigation matters, as well as working with legislators, helped him develop a core of knowledge. “I can’t think of a better way to bone up on these issues than to be on the front lines.”
Stio said “law firms have started to recognize that this is an area where the law is changing,” but “those on the forefront started doing that seven-to-10 years ago.”
“Any lawyer that is going to engage in this type of practice is going to find a way to educate themselves on these kind of laws,” Stio said, adding that Pepper Hamilton’s breach response team includes lawyers from various practices, some of them industry-based: litigation, labor and employment, corporate and securities, white collar defense, health care, and financial services.
Marketing, at this stage, is mostly through word-of-mouth, lawyers said, though even that is challenging when “companies are loath to disclose publicly that they’ve had a data privacy problem,” according to Christie. Still, client referrals are becoming more common, he said.
Billing for cybersecurity work is approached differently depending on the firm. At Morgan Lewis, a lot of the work is done on an hourly basis, but some tasks, such as developing an incident-response plan or conducting privacy audits, lend themselves to fixed fees, Parks said.
Timothy Blank, who chairs the cybersecurity and data privacy group at Dechert in Philadelphia, and Vernon Francis, a partner in the group, said billing for cybersecurity work is approached the same as any other practice, though some tasks, particularly litigation and government investigations, are suited to hourly billing. Dechert, like Morgan Lewis, is willing to conduct audits for a fixed fee, they said.
Pinguelo, who teaches an e-discovery course at Seton Hall University School of Law, said client demand for cybersecurity services will continue to grow, but building a strong practice takes time.
“Any firm looking to get in this area—they need to recognize that,” Pinguelo said.