On a recent Friday morning in Manhattan, Hogan Lovells partner Harriet Pearson has just finished presenting at the firm’s annual global client forum at the Harvard Club. The event is part of Pearsons new life as a firm attorney. She joined Hogan in June after almost two decades serving a single client: IBM, where in 2000 she became one of the first-ever chief privacy officers in the Fortune 500.
Pearson wasnt only IBMs CPO, but its security counsel, too. And while she believes the coming decade will be explosive in terms of privacy developments, her focus in the firms privacy and data security practice group will be on cybersecurityat a moment when the U.S. government and the corporate sector are starting to grapple ever-more-vocally with both the physical implications of cyber attacks and the legal implications of protecting against them.
And the challenge thereas I was talking to our seminar attendees todayis that what general counsel, what corporate counsel need to be doing right now is undefined. Theres so much uncertainty in the environment, she tells CorpCounsel.com, cloistered in a dark-paneled room in the neo-Georgian NYC landmark. But that will get defined. It will get defined in part by legal proceedings, by regulation, by people working together to make policy, and I wanted to be part of that in a broader way.
In other words, Pearson is bringing the expertise she honed at IBM to a bigger audience, starting with explaining the corporate lawyers role in a companys cybersecurity regimen. This fall for example, she counseled clients to respond to Senator Jay Rockefellers (D-West Virginia) letter to CEOs of the Fortune 500 regarding cybersecurity, which followed on the heels of a major cybersecurity legislative defeat.
The senators questions for big corporations in and of themselves werent hard to contend with, she says. Though she does call Rockefellers efforts to solicit feedback from the countrys top chief executives unprecedented in Washingtonand that should be a sign to the corporate world.
If its serious enough for a senator to write to you, then its serious enough to have an action agenda and a plan to manage your companys participation, she says.
General counsel have an important role to play in evaluating the legal, reputational, and operational risks for a companys cybersecurity, says Pearson. Here, she shares with us some key recommendations:
Assess and Strategize
The GC, of course, isnt the chief information officer or the IT security directorso they wont be driving IT projects. But GCs do have a responsibility to make sure that the company is meeting its fiduciary standard of care. In the cybersecurity realm, that translates to running a risk assessment, helping guide the companys strategy, and documenting that plan.
The most foundational thing they can do is ensure that the company has a view of all of the different risksnot just Do we have a hack happening? but really, What regulations are we under, what do our contracts say, what do our SEC filings say? Pearson explains. What does a company of our stature, in our industry, at this point in timewhat are we really expected to do?
