A spate of ransomware attacks and supply chain disruptions are compelling outside and in-house counsel to work more closely with information technology departments to bolster security and minimize the legal risks that accompany such hits.
Large-scale ransomware attacks are driving conversations between IT departments and lawyers as business leaders see the headlines and recognize the potential costs of supply chain compromises, said Mark McCreary, a Philadelphia-based co-chair of Fox Rothschild LLP’s privacy and data security practice.
“In-house counsel aren’t always as involved in IT decisions, but they’re starting to listen more and work more closely with vendors,” McCreary said. “Legal departments are stretched thin—there’s no question about that—but they are leaning in and certainly paying more attention to IT.”
Hands-on interaction and collaboration between IT departments, in-house counsel, and firm lawyers are only set to deepen as supply chain hits such as the one against Kaseya Ltd. continue to accelerate, McCreary added.
Communication among IT departments, in-house counsel, and outside law firms is key for developing security programs and data compliance programs, but a strong relationship is perhaps even more crucial for when an incident begins to unfold, said Melissa Krasnow, a privacy and cybersecurity partner at VLP Law Group in Minneapolis.
“For a number of clients, we’re making sure we have the most up-to-date contacts, both internally and with law enforcement,” Krasnow said. “IT and legal should work hand in glove to make sure everything is up-to-date and people know what to do in the event of a ransomware hack.”
That includes conducting tabletop exercises to simulate breaches, she added. Such simulations are important because they give a company an idea of any gaps it might have, but lawyers should also work closely with IT teams to address holes and implement new security procedures after the simulated exercises, Krasnow said.
Although IT and legal teams have traditionally worked together, high-profile hacks and an increasingly complex privacy landscape are deepening bonds and resulting in more frequent communication between attorneys and security professionals, said Tom Zych, head of the privacy and cybersecurity team at Thompson Hine LLP in Cleveland.
“I see gratitude from IT departments that they’re being paid attention to, whether that’s getting put on the agenda or seeing an increased budget for necessary upgrades,” Zych said. “IT is relieved that people aren’t seeing security as merely an IT issue anymore.”
IT departments and counsel should work together to line up incident response companies they can turn to in the event of a breach or hack and set up contracts with them, said Erez Liebermann, co-chair of the U.S. data solutions, cyber and privacy practice at Linklaters LLP in New York.
But companies may benefit by signing those contracts only when an event occurs because that makes it more likely that such an arrangement would be shielded by pre-litigation work product privilege, he said.
Management of third-party partners and vendors has become “front of mind” recently, in large part because of newsmaking supply chain attacks, said Joseph Moreno, general counsel at SAP National Security Services in Herndon, Va.
In-house counsel are increasingly recognizing the importance of proper vendor due diligence since poor cyber hygiene in vendors can be a “point of vulnerability” just as it can be in one’s own company, Moreno said.
“If the vendor has to interface with your network to some degree or obtains data from your company, you want IT to be part of that conversation,” Moreno said. “You want IT to be involved to minimize access to only what’s necessary and so it can shut it off if the worst happens.”
Law firms, like other companies, can also get caught up in hacks, Zych said. An attack on file-sharing company Accellion Inc. affected several law firms earlier this year, and clients are asking more and more questions about the security postures of the law firms they work with.
“Clients are getting better at managing their own risk, and with that I’m seeing a sharper and sharper look as well as greater scrutiny of providers, including law firms,” Zych said.
Likewise, it’s important for IT departments to provide input and attention to legal teams, and for lawyers to weigh in on some IT decisions, said Liebermann, who was formerly chief counsel at
“Don’t just check the box,” Liebermann said. “Have the lawyers and info security teams sit together and really collaborate.”
And although time and budget constraints can be a roadblock, companies should realize that cyber is “way too critical” to take shortcuts, Moreno said.
“It’s a shame that it’s taken these types of attacks to bring these issues to the forefront,” Moreno said. “But it’s forcing all of us to take the issue seriously, which is that cyber is so critical to private industry and national security.”