Bloomberg BNA just published a detailed discussion with me concerning the evolving role of the general counsel during a data breach response. This topic is critical for lawyers working in-house at public and private companies. As I point out in the article:
The GC, alone or with outside counsel, has quietly emerged as the most logical and effective quarterback of data breach response.
Incident response workflow requires careful legal navigation because the legal ramifications of any failure can be calamitous or even fatal for any public or private company. So many incident response issues are critical to the very survival of a company, so the GC should lead investigative workflow, commanding the investigation and remediation for the c-suite and sharing with senior management the ultimate responsibility for key decisions. Just like any other independent and thorough investigation, the work relating to a cyber-attack will involve a team of lawyers with different skillsets and expertise (e.g. regulatory; ediscovery; data breach response; privacy; white collar defense; litigation; law enforcement liaison; and the list goes on).
Virtually every aspect of an incident response is rife with delicate and complex legal issues. For instance, consider the dramatically competing constituencies during an incident response. On one hand, there are the FBI, Secret Service, U.S. Air Force Office of Special Investigations, and other law enforcement agencies who want to help find the intruders, and on the other hand, there are the myriad attorneys general and other state regulatory agencies who will be issuing requests and demanding answers about the safety of the personally identifiable information or so called “PII” of their respective citizenries. The GC should lead the creation of the rules, practices and procedures that govern the sharing of intelligence with government agencies.
In addition to the governmental investigations and litigation, the list of civil liabilities after a cyber-attack is almost endless, including shareholder lawsuits for cyber security and data breach disclosure failures; declines in a company’s stock price; and management negligence. There may also be consumer/customer driven class action lawsuits against companies falling victim to cyber-attacks, alleging a failure to adhere to cyber security “best practices.”
* * *
Interestingly, law firms are only beginning to respond to the need for incident response by forming specialized data breach response legal practice groups. But my take is that the incident response practice area is where the Foreign Corrupt Practice Area was ten or fifteen years ago – and in just a few years data breach response practice groups of law firms will not only be a leading revenue generator for law firms but data breach response legal practice groups will be the leading growth area for large law firms.