Cybersecurity Resolution Adopted

The American Bar Association (ABA) adopted a startling resolution on cybersecurity at its August 2014 meeting. The ABA resolution urges all businesses, law firms, government agencies, and organizations to take cybersecurity seriously and to conduct regular reviews of security posture. But, the most import aspect of the resolution is, finally, the formal recognition that cybersecurity is not just a technology issue but fundamentally a legal, business leadership, management, and technical issue.

Through this Resolution, the ABA stresses the importance of security programs for all organizations as a matter of sound governance and risk management…. Cybersecurity has moved beyond the realm of technical personnel; the maintenance of a security program, including the components stressed in this Resolution, is a responsibility that all senior executives, business owners, attorneys, general counsels, compliance officers , and government officials should embrace. ABA Cybersecurity Legal Task Force, Cybersecurity Resolution 109, American Bar Association, 13 (Aug.2014), available at  http://www.americanbar.org/content/dam/aba/administrative/house_of_delegates/resolutions/2014_hod_annual_meeting_109.authcheckdam.pdf (emphasis added)

The Cybersecurity Resolution also summaries the recommendations for organizations.

It is imperative that all organizations—private sector companies and other organizations, government departments and agencies, and professional firms such as legal, accounting, engineering, and consulting entities—develop, implement, and maintain an organization-wide security program in accordance with accepted security frameworks and standards. Today, too many organizations and entities—including critical infrastructure companies—have completed some activities within a security program, but not all, making them easy targets for sophisticated cyber-criminals. The lack of a disciplined process for the selection of security controls and ongoing reviews are two of the most serious gaps in security programs. Likewise, many organizations do not devote adequate funding to address known gaps and deficiencies in their security programs or to ensure that their organizations have well-developed plans to enable them to respond adequately to incidents and maintain continuity of business operations. Id. at 13.

Attorney Shannon Brown, as a cybersecurity lawyer and long-time information technology professional with real, hands-on technology skills, welcomes the Resolution—albeit perhaps long overdue. Cybersecurity, information security,  information governance, data breach, disaster recovery planning, and overall data protection fundamentally require a new-breed of data lawyers who can address the business, technology, and legal aspects of these complex issues. Developing solid cybersecurity policies and procedures, implementing BYOD policies, evaluating systems for compliance with legal regulations (such as HIPPA), performing cybersecurity audits, and performing cybersecurity evaluations all require legal guidance, not just technical measures—as the ABA now attests and as Attorney Shannon Brown has argued before.

Today’s business owners and officers, as part of their fiduciary duties, will need obtain competent legal advice from a data attorney / cybersecurity attorney to assure that the business owner meets his duties to protect data and to properly address issues.