Hogan Lovells partner Harriet Pearson has just finished a presentation at the firm’s annual global client forum at the Harvard Club in New York.
The event is part of Pearson’s new life as a firm attorney. She joined Hogan in June after almost two decades serving a single client, IBM, where in 2000 she became one of the first-ever chief privacy officers in the Fortune 500. Pearson wasn’t only IBM’s CPO but its security counsel, too.
While she believes the coming decade will be “explosive” in terms of privacy developments, her focus in the firm’s privacy and data security practice group will be on cybersecurity — at a moment when the U.S. government and the corporate sector are starting to grapple ever more vocally with both the physical implications of cyber attacks and the legal implications of protecting against them.
“And the challenge there … is that what general counsel, what corporate counsel need to be doing right now is undefined. There’s so much uncertainty in the environment,” she said in an interview. “But that will get defined. It will get defined in part by legal proceedings, by regulation, by people working together to make policy, and I wanted to be part of that in a broader way.”
In other words, Pearson is bringing the expertise she honed at IBM to a bigger audience, starting with explaining the corporate lawyer’s role in a company’s cybersecurity regimen. This fall for example, she counseled clients to respond to Democratic U.S. Senator Jay Rockefeller’s letter to CEOs of the Fortune 500 regarding cybersecurity, which followed on the heels of a major cybersecurity legislative defeat.
The West Virginia senator’s questions for big corporations in and of themselves weren’t hard to contend with, she said. Though she does call Rockefeller’s efforts to solicit feedback from the country’s top chief executives “unprecedented” in Washington — and that should be a sign to the corporate world.
“If it’s serious enough for a senator to write to you, then it’s serious enough to have an action agenda and a plan to manage your company’s participation,” she said.
General counsel have an important role to play in evaluating the legal, reputational, and operational risks for a company’s cybersecurity, said Pearson. Here, she shares with us some key recommendations:
Assess and Strategize
The GC, of course, isn’t the chief information officer or the IT security director — so they won’t be driving IT projects. But GCs do have a responsibility to make sure that the company is meeting its fiduciary standard of care. In the cybersecurity realm, that translates to running a risk assessment, helping guide the company’s strategy, and documenting that plan.
“The most foundational thing they can do is ensure that the company has a view of all of the different risks — not just ‘Do we have a hack happening?’ but really, What regulations are we under, what do our contracts say, what do our SEC filings say?” Pearson explains. “What does a company of our stature, in our industry, at this point in time — what are we really expected to do?”
As the company executes its cybersecurity plan, additional legal issues will arise, requiring counsel from both in-house and outside attorneys. Some of those issues could include proper documentation in public filings, as well as compliance with state data-breach regulations.
In the event of a corporate cybersecurity incident, Pearson also raises the challenging question of when to assert attorney-client privilege. “You don’t really want to assert the privilege over-broadly, because it won’t work, and because it will actually limit the ability of your organization to respond well,” she said. “So you want to be very strategic and thoughtful about when you assert it.”
Another issue corporations are grappling with is to what extent they can monitor an employee’s personal electronic devices that, in turn, get hooked up to company systems. “How intimate can you be with your employee’s activities, as a result of trying to protect your own company and ramping up?” Pearson asks. “That’s a leading edge question.”
Be Prepared for Incidents
Digital break-ins are inevitable, and companies need to be prepared to respond in a “credible, thoughtful, and protective manner,” said Pearson. A response team, which should include a lawyer, should be equipped with the proper training and the proper tools.
“Counsel’s role, whether it’s inside or outside, is to help ask the right questions, make sure the teams that are responding to incidents are prepared, and act in accordance with what’s expected of the company,” Pearson said.
Ultimately, either a chief executive or a board director will ask if the company is doing enough about cybersecurity, said Pearson. “And when they ask that question, I think counsel is in the single best position to help answer it.”