Law firms setting up cyber specialties as attacks grow

Data breaches might look like fod­der for headline news or primetime television, but lawyers warn that the legal drama that can unfold fol­lowing an errant keystroke is real and increasingly common.

When it comes to tracked data breaches, the United States hit an all-time high last year with 1,093 reported breaches. That is a nearly 40 percent increase from 780 doc­umented cases the previous year, according to a study released in January by Identity Theft Resource Center in San Diego and Cy­berScout in Scottsdale, Arizona.

As more and more individuals and busi­nesses fall victim to violations of cybersecu­rity — from losing a computer containing confidential information to downloading a crippling virus — some law firms have ex­panded their practices to create cybersecuri­ty specialties, while others have reported an increase in computer-related business.

“Law firms are always scanning the hori­zon, and cybersecurity is not only a Goliath, but it is a Goliath that is never going away,” said Sharon D. Nelson, president of Sensei Enterprises in Fairfax and a member of the American Bar Association’s Law Practice Division. “We are here to stay in the digital world, and data is black gold. Data is the new oil, and having seen that, law firms are very responsive.”

Saul Ewing partner Alexander R. Bilus is co-chair of the Baltimore-based firm’s cy­bersecurity and privacy practice group, com­posed of about 41 lawyers from various prac­tice areas. His practice group has grown in the past year as sundry cybersecurity scan­dals dominated the news, from allegations over Hillary Clinton’s email server to Rus­sian hackers interfering with the election.

As evidence of demand for cybersecuri­ty lawyers, April F. Doss — who was chair of Saul Ewing’s cybersecurity and privacy practice group and helped launch it about a year ago — recently left the firm to work on the Senate Intelligence Committee’s probe into Russia’s interference in the 2016 elec­tion.

“Certain people who are paying attention [to cybersecurity news] are starting to think, ‘How can I protect myself, my business, my family from that?’” said Bilus, who works in Saul Ewing’s Philadelphia office. “Many com­panies have hired cybersecurity staff to man­age threats as they’ve become more aware of technology’s weaknesses. I don’t know that the country as a whole is there yet.”

Rockville, Maryland-based attorney Mi­chael S. Rothman, who has worked on com­puter-related cases for more than 10 years, said that educating the public is critical: Many don’t know how to identify a potential cybersecurity threat or understand why it’s important to hire a lawyer who specializes in the field to deal with a breach.

Working with small firms

Unlike Bilus, Rothman said his work is on a smaller scale, defending those charged with internet crimes. He’s also performed threat assessments for small firms and helped them after an employee has made off with a cus­tomer list, or after someone has installed key­stroke logging software on a client computer.

“There are more cyberattacks on individ­uals and small firms now than ever before,” he said.

Rothman said that there is no real way of stopping breaches from happening as long as human error exists. The volume of such crimes is so high that understaffed police and prosecutors rarely pursue charges unless they’ve been handed an abundance of evi­dence, he said.

“This is like trying to hold back the ocean with a teaspoon. There would never be enough resources to prevent people from getting scammed, or from committing online crimes,” he said. “The only thing you can do to improve the situation is to make people more aware of what a scam looks like.”

Firms also are seeing an increase in pri­vacy lawsuits and clients that need trained data breach or privacy lawyers to oversee them.

“It is a much-needed service,” said Nelson, of Sensei Enterprises. “With the larger firms in particular, they want people to have one-stop shopping, and if they don’t have people in these fields, they are not offering one-stop shopping. If their clients get breached, it is a very expensive proposition. One part of that is legal fees, so of course they would like those legal fees to adhere to them.”

On the ground floor

Harriet Pearson began working in cyber­security before it was even a term. That was in 1996, and Pearson served as IBM’s vice president, security counsel and chief privacy officer. Later, when she left to work on legal data privacy cases at a private law firm, peo­ple asked her if she really thought there was enough work in the field.

“I can say after five years of focus­ing my law firm practice on it, there is a growing interest and demand from companies of all types for assistance on planning for, reducing the risks of, and responding to the undeniable reality that there are more cybersecurity vul­nerabilities and threats out there that have to be addressed,” said Pearson, now a partner in Hogan Lovells’ global privacy and cyberse­curity practice group in Washington.

Nearly every state has data notification laws regarding breaches. National Cyber Se­curity Alliance Executive Director Michael Kaiser said having a knowledgeable lawyer can help businesses and organizations better understand their legal responsibilities.

“Having legal advice, certainly if [an at­tack] happens but preferable in advance of it happening, so that you know what your legal requirements are if you were to lose data, would be something most businesses are starting to understand they need to pay attention to,” he said.

Who to recruit

Law firms are moving in two directions, according to David S. Turetsky, partner at the Washington-based Akin Gump and a member of the ABA’s Cybersecurity Legal Task Force.

“More are trying to do what we’ve done at Akin Gump: recruit new talent when ap­propriate and recognize that cybersecurity can and should be a true cross-practice ini­tiative that draws on and further develops lawyers with cyber-relevant skill sets from elsewhere in the firm,” he said.

Akin Gump draws on lawyers who are experts in HIPAA to raise important cy­bersecurity and privacy issues as well as government contract lawyers who have an understanding of the federal government’s evolving cybersecurity-related procurement rules.

To provide the best service possible, Turetsky believes it is beneficial for law firms to cultivate ties and relationships with various kinds of technical, forensic, and consulting firms and experts “to ensure that clients have access to a comprehensive suite of services that can anticipate and address the full range of cybersecurity needs they may encounter.”