A series of ransomware attacks and supply chain disruptions are forcing external and internal legal advisers to work more closely with IT to strengthen security and minimize the legal risks that accompany these attacks.
Large-scale ransomware attacks are fueling conversations between IT departments and lawyers as business leaders see the headlines and recognize the potential costs of supply chain compromises, said Mark McCreary, co-chair based at Philadelphia of Fox Rothschild LLP’s Data Privacy and Security Practice.
“In-house legal advisers aren’t always so involved in IT decisions, but they’re starting to listen more and work more closely with vendors,” McCreary said. “Legal departments are overloaded, there’s no question about it, but they are certainly leaning and paying more attention to IT. “
The practical interaction and collaboration between IT departments, in-house legal counsel, and firm attorneys is only expected to deepen as supply chain successes such as the one against Kaseya Ltd. continue to accelerate, added McCreary.
Communication between IT, internal legal counsel, and external law firms is essential to developing security programs and data compliance programs, but a strong relationship is perhaps even more crucial when an incident begins. to happen, said Melissa Krasnow, head of privacy and cybersecurity. partner at VLP Law Group in Minneapolis.
“For a number of clients, we make sure we have the most up-to-date contacts, both internally and with law enforcement,” Krasnow said. “IT and legal departments need to work hand in hand to make sure everything is up to date and people know what to do if a ransomware is breached. “
This includes conducting tabletop exercises to simulate violations, she added. Such simulations are important because they give a company an idea of what gaps it might have, but lawyers should also work closely with IT teams to fill in the gaps and implement new post-exercise security procedures. simulated, Krasnow said.
While IT and legal teams have traditionally worked together, large-scale hacks and an increasingly complex privacy landscape are strengthening ties and leading to more frequent communication between lawyers and security professionals, Tom said. Zych, head of the privacy and cybersecurity team at Thompson Hine LLP. in Cleveland.
“I see gratitude from the IT departments that they pay attention to whether it’s getting on the agenda or seeing an increased budget for necessary upgrades,” Zych said. “IT is relieved to see that people no longer see security as just an IT issue. “
IT departments and lawyers need to work together to identify incident response companies they can turn to in the event of a breach or hack and establish contracts with them, said Erez Liebermann, co-chair of the US Department of Data Solutions. , Cyber & Privacy at Linklaters LLP in New York.
But companies can benefit from signing these contracts only when an event occurs, as it increases the likelihood that such an agreement will be protected by pre-litigation work product privilege, he said.
The management of partners and third-party vendors has recently become “in front of the mind” recently, in large part because of attacks in the news supply chain, said Joseph Moreno, general counsel at SAP National Security Services at Herndon, Virginia.
Internal legal advisers increasingly recognize the importance of proper vendor due diligence, as poor IT hygiene at vendors can be a “point of vulnerability” just as in his own business, Moreno said.
“If the vendor needs to interface with your network to some extent or get data from your business, you want IT to be part of that conversation,” Moreno said. “You want IT to be involved to minimize access to only what is needed and so they can shut it down if the worst happens. “
Law firms, like other businesses, can also fall victim to hacks, Zych said. An attack on file-sharing company Accellion Inc. hit several law firms earlier this year, and clients are increasingly asking questions about the security positions of the law firms they work with.
“Clients are managing their own risk better, and with that, I see an increasingly sharp look as well as a deeper scrutiny of vendors, including law firms,” Zych said.
Likewise, it’s important that IT departments give their input and attention to legal teams, and that lawyers have a say in certain IT decisions, said Liebermann, who was previously senior legal counsel at
“Don’t just tick the box,” Liebermann said. “Ask lawyers and information security teams to sit down together and really collaborate. “
And while time and budget constraints can be a hindrance, businesses need to realize that cyber is “way too critical” to take shortcuts, Moreno said.
“It’s a shame that it took these kinds of attacks to bring these issues to the fore,” said Moreno. “But it forces us all to take the issue seriously, that cyber is so critical to private industry and national security.”