The Unwitting Cybersecurity Trap: The Risks of Relying on Technology Consultants
Considering the increasing number of data breaches, “hacking” episodes, and cybersecurity incidents over the past few years, businesses are finally starting to take cybersecurity and data security seriously. Businesses also realize that responsibility for data security is shifting from the IT staff to the Board and senior leadership.* However, some businesses still do not realize that data security is primarily a legal issue for business, not just as IT issue. Therefore, relying on technical consultants for legal problems may unwittingly create problems for a business.
Cybersecurity is a Legal Issue
Almost all states now require some form of data breach reporting. Businesses, so far, have ducked liability in the courts from data breach damages. But, victims continue to put forward novel theories and liability lurks.** The costs of defending against such a lawsuit can be significant. Furthermore, damages from a cybersecurity incident, such as recovery costs, mitigation costs, notification expenses, monitoring fees, lost business (about 50% of cybersecurity victims abandon the business), and consultant costs, may lead to legal action from shareholders. Businesses also face a myriad regulatory and compliance requirements. For example, the FCC recently levied a $10 million fine against two businesses for failing to protect data—and more actions are coming from both federal and state agencies including new unfair-trade-practices claims.*** The take-away: cybersecurity raises important legal issues.
The Risks of Only Using Cybersecurity Consultants
Many cybersecurity consulting firms provide an important technology service by implementing and monitoring or addressing the technology aspects of cybersecurity. But, cybersecurity technology consultants either
- offering regulatory compliance services or
- implying that the technical services somehow meet legal requirements
might place the hiring businesses at significant risk—albeit often not obvious until a problem later arises.
Risks with hiring a cybersecurity consulting firm are:
- the technical consultants cannot provide binding opinions regarding either regulatory compliance or legal compliance (negligence, due diligence, etc.) and thus reliance on such opinions may place the business at risk (and even offering such opinions may be illegal in most states under criminal and civil unauthorized practice of law statues or unfair trade practices); and
- all of the work done by the technical consultants, including reports, network diagrams, infrastructure diagrams, personnel involved, observations, analyses, and decisions made, becomes fully discoverable (exposed) in a subsequent lawsuit—meaning the business will likely need to turn-over all this information to the opposing side.
Thus, a business relying on assurances by the cybersecurity consulting firm regarding regulatory compliance or due diligence may place the business in a legal predicament as these assurances may mean little or nothing. (Sometimes people think that the nod-and-wink “I’m not a lawyer but…” disclaimers somehow make these risks go away. That is mistaken.)
Addressing the Cybersecurity Consulting Trap
Addressing the cybersecurity trap involves a simple readjustment of the relationship between the business, consultant, and attorney. The business first engages an attorney knowledgeable in cybersecurity. Under the direct supervision of the attorney, the business hires a cybersecurity law firm. The cybersecurity lawyer then mitigates between the cybersecurity technical team and the business.
How does this arrangement potentially mitigate the trap and risks? In this arrangement, the business
- gains defensible legal opinions on cybersecurity from the attorney including defensible opinions on regulatory compliance (providing reasonable reliance defenses);
- receives technical work by the cybersecurity consultant, but under direction and advising of the attorney, to address the cybersecurity technical concerns; and
- gains potential protection from disclosure because the work was conducted under the direction of an attorney (the business and attorney can assert attorney-client privilege and attorney-work-product doctrine in the event a incident occurs later).
The organization and timing are important to potentially benefit from the arrangement. Before any work is done, the business hires the law firm (cybersecurity lawyer) who in turn hires or oversees the cybersecurity firm. (Other arrangements may waive the potential benefits even though they may sound similar. )
Businesses trying to do-the-right-thing might unwittingly waive some important, potential benefits from cybersecurity analysis. When direct hiring a cybersecurity consultant to address legal issues related to technology, the business likely waives the potential benefits of attorney-client privilege and attorney-work-product protections. These protections may become important should a data breach, “hacking,” or cybersecurity incident occur later.
Furthermore, an attorney can provide valid legal opinions on regulatory compliance and due diligence so businesses can assert reasonable-reliance defenses. In contrast, regulatory compliance “opinions” by technology consultants likely have little or no weight because they are not legal opinions (and regulations are legal issues, for example HIPAA).****
Cybersecurity and data security increasingly becomes a hot-button issue for most businesses. Unfortunately, technology consulting firms offering cybersecurity services might be placing businesses at risk or reduce the benefit of such services. Reducing that risk simply involves seeking competent legal advice from an attorney.
* See, for example, Todd Sexton, CEO responsibilities for data breach, Homeland Security Wire (Feb. 13., 2015) ; David Geer, Why the Board of Directors Will Go Off on Security in 2015, CIO Magazine (Dec. 10, 2014); or Shannon Brown, The Next Battleground for Data Breaches…Shareholder Lawsuits? (Apr. 11, 2014).
** But this is quickly changing as companies, not individuals, bring the lawsuits. Meagan Geuss, Judge rules that banks can sue Target for 2013 credit card hack, Ars Technica (Dec. 4, 2014).
*** Brian Fung, With a $10 million fine, the FCC is leaping into data security for the first time, Washington Post (Oct. 24, 2014).
**** One exception may be PCI compliance because PCI compliance is an industry standard and not necessarily a legal regulation per se. But because related issues may be at stake, this quickly becomes a slippery-slope.