Sidley Austin has hired two veteran cybersecurity attorneys from Baker McKenzie after major hack attacks last year prompted new federal regulations on U.S. corporations.
The attorneys, David Lashway and John Woods, were co-chairs of Baker McKenzie’s global cybersecurity practice in Washington. They are staying in the city to join Sidley.
Though studies have found that cyber offenders have had an advantage over the companies and governments they attacked, Lashway said, “we’re trying to create a defensive advantage that’s durable over time.”
Law firms have been ramping up their cybersecurity practices as threats from suspected Russian and Chinese hackers prompt rules to ward off attacks and quickly learn about incidents that do occur.
A ransomware attack a year ago temporarily paralyzed Colonial Pipeline Co.'s conduit, the biggest in the U.S. The following month, a cyberattack forced the world’s largest meat producer, JBS SA, to briefly halt operations across the globe.
The $1.5 trillion federal spending package President Joe Biden signed into law in March includes a requirement that corporations report hacks to the U.S. Department of Homeland Security within 72 hours of the discovery of the attack. Companies must make reports within 24 hours if they make a ransomware payment.
The Transportation Security Administration late last year implemented new directives that require most passenger and freight rail carriers to take steps such as designating a cybersecurity coordinator and conducting a vulnerability assessment.
Yvette Ostolaza, Sidley’s management committee chair, said Lashway and Woods have “handled a wide range of issues that companies and public sector institutions face, including national security, geopolitical, criminal, and white-collar matters.”
Lashway has advised on cybersecurity incidents and worked on election security, including in the 2016 and 2020 elections, according to Sidley.
Woods’ cybersecurity experience includes data governance, trade secret theft and financial services industry attacks. He served as lead lawyer advising a company on the legal response on the Notpetya malware incident in 2017, Sidley’s statement said.
Lashway said a Sidley cyber team will help him and Woods “navigate these complex issues.” The team includes prosecutors, tax lawyers, computer scientists and former intelligence professionals, he said.
The two men are leaving Baker McKenzie after the firm in late January announced former Manhattan District Attorney Cyrus Vance Jr. was taking over as head of the cyber practice.
The Justice Department last week confirmed that prosecutor John Carlin, who oversees corporate crime enforcement, would be leaving this summer.
Acting Deputy Attorney General Carlin, a cybersecurity specialist, was chair of Morrison & Foerster’s global risk and crisis management group before leaving for Justice in early 2021.
It’s unclear if Carlin will be returning to Morrison & Foerster. Firm spokespeople did not return requests for comment.