Why every CIO needs a cybersecurity attorney (my comments on why this is my favorite article ever)

Wow, this article seriously just made my day.

I will apologize in advance to my friend and CSO writer and Michael Santarcangelo (@catalyst), but this may very well be my favorite article — anywhere — of all time! And, thank you, Tom Hulsey (@TomHulsey), for sharing it with me! As for you, Ms. Kacy Zurkus (@KSZ714), all I can say is, great job on this article!

Why is it my favorite article?

Well, if the title of the article did not give it away (yes, there’s a reason we attorneys are the 2nd oldest profession … we’re pretty close to the 1st …), then consider these snippets:

“Distinguishing the technical experts from those responsible for legal obligations and risks will help companies develop better breach response plans. Understanding the role of an external cybersecurity firm will only help.” (Have I not been preaching the need for breach response plans??? See Why Your Company Needs a Breach Response Plan: Key Decisions You Must Make Following A Data Breach (Aug. 3, 2015) and More Posts)

“But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company’s legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance.” (ahhh yes, music, sweet music to my ears!)

“’The breadth of industries who need this type of counsel has exploded,’ says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report.” (preach it sister Amy, preach it!)

“Because every company now has data online – including personally identifiable information (PII), trade secrets and patent information – Sheehan says, ‘There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws. (I could not have said this any better myself, dang Kacy, you are good!)

“Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.” (mmm hmm, as I write this, there is a leader of a company who did not know my name or know what a “cybersecurity attorney” was on Monday of this week … today (Thurs. morning), I am his new best friend and he calls me more than my wife does!)

“CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, ‘negotiating with the government or a complicated investigation that requires more manpower’ demands the expertise of a cybersecurity attorney.” (exactly — those who are looking back with 20/20 hindsight, following a breach, are not technical people, they are lawyers: agency regulators, state attorneys’ general, judges, and plaintiff’s lawyers — you need a legal perspective for this)

“’To not have a cybersecurity attorney on retainer is foolhardy at best,’ because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance and working with government.” (exactly!)

“Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company’s response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. ‘The plan should be very basic and the attorney is a key part in designing the plan,’ Thompson says.” (privilege can be a huge issue — and as for those Incident Response Plans, definitely use the KISS method)

“Additional risks exist around response time in the aftermath of a breach. According to Sheehan, ‘You’ll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common – it’s filed immediately after a breach, and counsel is involved in mitigating litigation risks.’” (what you do pre-breach can have a huge impact on how you are impacted post-breach, from a liability standpoint)

There is a lot more delicious medium-rare red meat (filet mignon, to be exact) in this article so go read it — NOW! Why every CIO needs a cybersecurity attorney | CIO.

Will Officers & Directors Be Held Legally Responsible for Companies’ Data Breaches and Cybersecurity Incidents?

Will Officers and Directors be held legally responsible for their companies’ data breaches and cybersecurity incidents?

Will Officers & Directors Be Held Legally Responsible for Companies’ Data Breaches and Cybersecurity Incidents?

Will Officers & Directors Be Held Legally Responsible for Companies’ Data Breaches and Cybersecurity Incidents?

That is the question I addressed in Cybersecurity Risk: Law and Trends – A Director’s Duties Must Evolve With The Company’s, which was recently published in the Spring 2015 issue of Ethical Boardroom (see article below).

The article is short and gets to the point. It explains where the trend is headed on this issue as well as why it is moving in that direction. It also identifies some steps that Officers and Directors can take to help mitigate this risk — while also helping protect their companies from the dangers lurking out in the cyber world.

You can view the full article in the Spring 2015 issue of Ethical Boardroom, which begins on page 108, but I also recommend you take some time to look at the entire issue as it is very informative. As always, feel free to let me know if you have any questions or comments.

The Best Evidence Why Your Company Needs a CISO Before a Data Breach

“The proof is in the pudding,” goes the old saying.

When it comes to organizational changes companies make following a data breach, If the proof is in the pudding, then the verdict is clear: companies should hire a Chief Information Security Officer (CISO) before they have a data breach.


According to this article in USA Today, companies usually tend hire CISOs after they have had a data breach. After?

Yes. They do this because they do not want to have another data breach and, after feeling the sting from the first, they are finally willing to invest more resources so that they do not have another data breach.

There is another old saying to remember: “Wise men learn from their mistakes, but wiser men learn from the mistakes of others.” (author unknown)

As your company’s leader, which will you be?

Check out my first post on Norse’s DarkMatters > Sony Hack: Where Do We Die First?

Hey everybody, go check out my first post on Norse’s DarkMatters blog — yeah, you know, Norse with the awesome Live Cyber Attack Map!

Now that you’re mesmerized by the map, here’s the post and please share it! Sony Hack: Where Do We Die First?

Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is — and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.