Cybersecurity Law Firms: You're Just Using Me for my Privilege

By William Peacock, Esq. on April 09, 2013 | Last updated on March 21, 2019

We feel so dirty.

The Wall Street Journal ran an interesting story last week about a new tactic that companies are employing to deal with cybersecurity threats and data breaches - hiring lawyers. Now, that probably isn't surprising to you - for nearly every significant data breach, there's a class action lawsuit filed in response. However, the real surprising part of the story was that the firms aren't being hired for their legal skills - they're being hired for privilege.

A breach happens. Data is compromised. A company's first response is probably to call a cybersecurity expert. After all, they can assess the damage, plug the leak, and prevent future hacks.

Many of these experts, however, advise them to find a lawyer first. Why? If the experts come in immediately and start investigating, the results might be discoverable in litigation. If lawyers are hired first, and the lawyers hire the security gurus, such sexy concepts as attorney-client privilege and the work product doctrine might help to keep the information private.

Of course, the lawyers aren't just being used as a legal shield from discovery. They also carry knowledge about the increasing numbers of state and federal regulations. According to the Reuters, the Securities and Exchange Commission has been pressuring companies to disclose information about attacks on their networks since late 2011. Forty-seven states have also adopted data-reach notification laws.

Between their knowledge of state and federal laws, administrative regulations, and the lending of privilege to the security experts, lawyers seem to have found a new practice area. As one would expect, BigLaw is wasting no time in filling the niche. For example, Alston & Bird LLP hired Kimberly Peretti earlier this year to co-chair the firm's security-incident and management response team, reports the Journal. She previously worked for the Justice Department's Computer Crime and Intellectual Property Section.

And for all you in-housers out there, even if you think that privilege or work product might protect your company's investigation (you, after all, are an attorney), you still might be better off locating outside counsel first. Data breach laws and regulations are a new and rapidly-developing field that requires a level of technological proficiency that most in-house attorneys lack.

Related Resources:

Copied to clipboard