Written by Rebekah Lewis
Recent revelations about Uber's failure to disclose a 2016 data breach affecting 57 million drivers and users highlight a number of important governance considerations. This installment of KCGC | In Practice considers some of the key challenges that many organizations may face regarding one of these considerations: the role of in-house cybersecurity legal counsel.
In the fallout over Uber's recent disclosure regarding a data breach and pursuant cover-up of that breach in 2016, two individuals who reportedly oversaw the incident response were fired: Chief Security Officer (CSO) Joe Sullivan and Craig Clark, an attorney reporting directly to Sullivan as the Legal Director for Security and Law Enforcement. Reports indicate that the Company's General Counsel, Salle Yoo, claims she did not know about the incident or the cover-up.
Uber's debacle is the result of multiple governance and operational failures, not least of which being the company's notorious culture of disregard for the law. But the role of Sullivan and Clark in the incident touches on challenges that many companies may face related to managing cybersecurity legal risk as they seek to meet operational imperatives.
Recognizing the significant reputational and financial impact of cybersecurity legal risk as well as the highly technical and fast-moving nature of cybersecurity operations, organizations are increasingly adopting the practice of "embedding" (also sometimes referred to as "forward deploying") attorneys specializing in cybersecurity with the information security team instead of relying on a centrally-housed legal team or outside counsel. The basic idea is that these technically-proficient attorneys are dedicated full-time to supporting the cybersecurity or information security team in order to provide expert legal support at-speed. They are often co-located with technical personnel, sitting alongside them and attending operational and other meetings as a member of the team.
Reporting Structure for Cybersecurity Legal Counsel
Although considering these positions as part of a multi-disciplinary team can help to facilitate more comprehensive, informed and seamless legal support, these attorneys should still report to the General Counsel (GC) and should not be considered direct reports of the CSO or other information security leadership positions.
First, the assessment and management of cybersecurity legal risk is highly fact-dependent, including the detailed facts of specific incidents as well as higher level facts about the company's operations and other obligations. Legal guidance in this area cannot be sound if given in isolation. For example, in the event of the 2016 Uber breach, an adequate assessment of the company's legal risk related to the incident and response, including disclosure, likely would require an understanding not only of the company's security posture and the data that was accessed (including the types of data, data subjects, location and state of data) but a number of other factors as well. These might include, among other things, the implications of the company's contractual relationships (e.g., GitHub, AWS, security vendors, other relevant third parties), any relevant consent orders, ongoing litigation or investigations and how the nature and location of the company's operations might implicate a range of applicable laws and regulations across jurisdictions, some with potentially conflicting requirements.
In addition, because cybersecurity touches so many aspects of an organization, it can also have a profound impact on analysis and guidance regarding other areas of legal risk. As a sampling, cybersecurity issues may affect legal guidance regarding mergers and acquisitions (from both the buyer and seller side), purchase of products or services, sharing of proprietary business information in any number of contexts, recruitment and employment decisions, strategy and obligations regarding ongoing litigation and government investigations, and marketing, public policy and lobbying efforts.
The GC is ultimately responsible for overseeing, assessing and advising on all of these risks as they inform the company's overall legal risk. In order to fulfill this responsibility, the GC must have an understanding through her reports of the impact of particular cyber incidents, general cyber-related legal risk and legal risk related to the variety of other activities and issues that may be impacted by cyber. In addition, to fulfill her role as an advisor, the GC needs to be properly informed and prepared to report up to the CEO and the Board.
To ensure legal risk is properly evaluated at all levels, cybersecurity legal risk must be evaluated contextually and overseen by the highest levels of leadership. Accordingly, companies who want to benefit from embedded cybersecurity attorneys should require that those attorneys are still integrated with and accountable to the legal team and the General Counsel.
Internal Incident Reporting Policy
The flipside of this need for proper accountability is the critical need for operationally efficient legal support. Depending on its size, operations and maturity, a company may detect numerous potential incidents each day, making direct involvement by senior legal officers or even an embedded cybersecurity attorney extremely unwieldy and inefficient for both the operational team and the legal team.
To address this challenge, organizations should implement and enforce policies that establish thresholds for when and how the legal risks related to security incidents are reported up to senior leadership. The thresholds for incident reporting may differ across disciplines, divisions or business units (e.g., legal, technical, financial) because each may be impacted by the same incident or types of incidents in different ways. Therefore, policies about reporting may also differ but should be reviewed and reconciled by an enterprise-level team in order to ensure they facilitate responsible oversight and coordination across the organization.
With respect to legal counsel, establishing ex ante clear guidelines for when and how embedded attorneys need to involve their leadership (e.g., notification, approval) is a necessary part of reaping the full benefit of in-house cybersecurity counsel. As noted above, sound legal guidance requires not only expertise and judgment but often visibility across the enterprise in order to consider all relevant facts. To ensure the greatest efficiency, the legal department should determine what kinds of incidents and operations require elevation up the chain for a proper assessment of legal risk.
Failure to establish clear guidelines about cybersecurity counsel's reporting obligations can leave them hamstrung, waiting repeatedly for evaluation and permission from their leadership and unable to provide operationally efficient guidance. In order for the organization to actually reap the intended benefits of embedded attorneys - namely, specialized and streamlined legal review at or closer to the speed of operations - attorneys must know when they can act without higher level review and authorization.
Even if the provision of legal guidance regarding a particular issue or incident does not require higher-level authorization, the General Counsel may still need to be informed of certain activities and decisions after the fact in order to fulfill her responsibility to asses and opine on the organization's overall legal risk. Given the sheer number and speed of cybersecurity operations, clarity regarding the frequency and form of senior-level notification is also critical to ensuring senior leadership receives the information they need, as well as to maximizing overall operational efficiency and cybersecurity counsel's ability to focus on ongoing operations.
In sum, in order to achieve the greatest benefits of investing in "forward-deployed" or embedded cybersecurity attorneys, organizations must responsibly empower these positions and the cross-disciplinary teams they support by implementing clear policies and responsible reporting structures. Without this clarity, embedded lawyers will not be able to provide both sound and expedient guidance - potentially doing greater harm than good.