Interesting article on the legal practice in cybersecurity

February 27, 2015 |

The New Jersey Law Journal has published a very interesting and illuminating article in For Companies, Cybersecurity Is a Cost-Benefit Analysis on the practice of cyber law, the attitude of companies to the risk of a data breach and the costs.  Because of the absence of data breach notification laws in Australia which exists in most American states and quite strong regulatory action by the Federal Trad Commission and state based authorities the exposure to litigation and enforcement action in the United States the law has developed at a faster pace there than Australia.  That is not to say that Australian companies don’t suffer data breaches and that personal information is not compromised.  Until March last year the exposure to strong regulatory action was low so the risk was low.  And where the risk is low it is not surprising that the effort and spend on data security is less than it should be.

THe article provides:

Accepting that there’s a problem, as the saying goes, is the first step.

As companies come to terms with cybersecurity risks, they’re faced with questions of how to address them—and how much it’s all going to cost.

“It’s clearly a budgetary item” and “really a risk-reward, cost-benefit analysis,” said James Van Horn, general counsel of Sun Chemical Corp. of Parsippany, New Jersey.

“It’s an expense to the company, and the question is, is it worth it?” Van Horn added. “You don’t want to hit a fly with a sledgehammer.”

Larry Hayes, general counsel of West Chester, Pennsylvania-based shopping network QVC, said, “Certainly, there is a higher focus, and a higher focus is always going to engender budget dollars being allocated to it.”

The potential costs are well documented. In recent years, for example, three health-care providers settled patient-privacy charges lodged by the U.S. Department of Health and Human Services for a combined $6.5 million, and one lawyer estimated the average prelitigation cost of a data breach, per personal record compromised, at as high as $200.

But breach response is only one aspect of data security—hiring consultants, improving systems and bringing resources in-house all come with a price tag.

“Business is good and has been good for awhile,” said Gideon Lenkey, co-founder and president of information-security firm Ra Security Systems, based in Milford, New Jersey.

According to Lenkey, Ra handles system monitoring (for malware and other malicious activity); penetration testing (essentially a simulated hack); policy review (“oftentimes there’s a gap between what you said you’re going to do and what you’re actually doing—most times, management is unaware of that gap”); system “hardening” (to bolster protections); and breach remediation.

Fees vary widely. Penetration testing, for example, can range in price from $7,500 to $70,000, depending on the intricacy of the client’s systems, while more open-ended tasks are billed at $280 an hour, Lenkey said.

“As a company, while we didn’t start out to do [security], by 1999 it became a major part of our business, and, by 2001, it was our entire business,” Lenkey said, noting a recent uptick in nonretail clients.

Ra typically deals directly with chief information officers or information-security units, Lenkey said.

“A lot of the time, the corporate counsel doesn’t even know [a security problem] happened,” and “sometimes your job is convincing the in-house counsel they need to consult a [legal] specialist on something like this”—especially when personal information has been compromised and reporting requirements are triggered, Lenkey said.

“Early on, it was a battle royal to make the counsels understand what’s going on,” Lenkey added. “Now they’re specialists. … You don’t have to get out the sock puppets, so to speak.”

Firm lawyers with data-security practices say they’re significantly busier counseling clients on pre- and post-breach issues, such as privacy laws that vary by jurisdiction.

One attorney in cybersecurity practice said establishing a response plan usually fetches a flat fee of $20,000 to $30,000, though it could be more if it’s from scratch.

Whether such tasks are handled on a flat-fee or hourly basis varies by firm, said the lawyer, who asked not to be named.

Paul Bond, a partner with Reed Smith in Princeton, New Jersey, who works on privacy and data security issues, said, “It’s not going to make sense indefinitely to pay a law firm to keep that effort up,” but companies need embedded privacy resources or third-party vendors.

Bond said a lot of cybersecurity legal needs lend themselves to alternative fee arrangements of either annual, monthly or per-project fixed fees, because clients need to be able to raise all of their cybersecurity concerns without watching the clock.

Once a breach occurs, legislative changes over the past five years ensure more enforcement actions and civil litigation, according to Drinker Biddle & Reath partner Stephen Serfass, who counsels on privacy issues facing the insurance and financial services industry.

“Basically, now, if you have a breach and you have to provide notice and report to enforcement officials, you are going to get sued,” Serfass said. “It’s not a question of if but how many class actions will be filed against you.”

Another potential expense is cyberinsurance, which covers calamities that general policies typically don’t, said J. Wylie Donald, a Wilmington, Delaware-based partner of McCarter & English in the cybersecurity and data privacy group.

“Property insurance—if my building’s going to burn down, that’s easy,” he said. “Cyberinsurance—that’s not a given … but you can’t operate your business if your computers are [down].”

Donald, citing information obtained from a broker, said an annual premium typically ranges from $10,000 to $25,000 per $1 million in coverage, though rates for retail corporations would be higher.

He said at least 50 carriers offer cyberinsurance as an independent or add-on policy.

The “uptake” of cyberpolicies is increasing as hacks of major corporations proliferate in the news, but “small companies ought to be more concerned” because of their limited resources, Donald said.

“The bad guys would love to hack you, because you’re not JPMorgan,” he added.

“When you look at risk … you either accept it, you transfer it, you mitigate it, or you destroy it,” Donald said. “Insurance is just another tool for dealing with the risks that are out there,” but “you can’t deal with all the risks through insurance.”

David Shannon, chairman of Marshall Dennehey Warner Coleman & Goggin’s technology, media and intellectual property practice, said “companies have realized that cyberinsurance is a requirement now for their data security plan.

“In addition, businesses are increasing their policy limits for their cyberinsurance as the costs of data breaches continue to be significant, whether the costs be notification costs, third-party class action litigation or fines and penalties from a variety of sources,” Shannon added.

Firms with cybersecurity practices have stressed the importance of outside counsel’s participation even before a breach; the lawyer can assemble a response team of professionals under protection of privilege, they point out.

But Van Horn said companies are “using the experts who really know data security.”

Those are auditing firms and information-security consultants

“They’re not necessarily the lawyers of the world,” Van Horn said. “More of this is internal and uses the expertise of nonlawyers.”

One internal measure, at least for a large corporation with the requisite budget, is hiring a senior-level chief information security officer—positions that are in demand and garnering increasing salaries, according to reports.

But, as Van Horn pointed out, compensation isn’t the lone expense.

“You’re not just going to hire one person and not be dedicated to the issue,” he said, noting that a budget and staff would be required.

Whatever the course, both Van Horn and Lenkey said specialists are required, and information-technology departments alone aren’t up to the task.

“The days of, ‘We have antivirus and a good firewall, so we’re good,’ are way gone,” Lenkey said. “The fatal mistake is letting IT handle your security. It’s a delicate topic. You don’t want to step on any toes … but they are totally different disciplines.

“The IT man’s job is satisfaction—he’s there to make your life easy,” Lenkey added. “Security is the opposite of easy.”

One Response to “Interesting article on the legal practice in cybersecurity”

  1. Interesting article on the legal practice in cybersecurity | Australian Law Blogs

    […] Interesting article on the legal practice in cybersecurity […]

Leave a Reply