The Role of an Attorney in Controlling Security and Legal Risk

Attorneys play a vital role in controlling security and legal risk and defending a business from claimants. How do attorneys help?

First and foremost, information security (infosec) lawyers counsel their clients on compliance requirements to keep data and information systems secure. These requirements may stem from public law (statutes and regulations) or private arrangements made via agreements. Infosec lawyers help clients answer the key question: What does my company need to do to comply with infosec requirements under applicable law and agreements? Failing to comply may cost a business a lot of money when they have to defend and resolve civil suits or governmental enforcement actions.

Second, lawyers defend and pursue security-related lawsuits and enforcement actions. Parties injured by a security breach may sue to seek damages or an injunction against the parties responsible for the breach. When the perpetrators are unable to be found or it isn't worth suing them, injured parties may sue others who supposedly allowed the breach to occur or failed to stop it. Companies purchasing security products or services may sue their vendors when the products or services don't work as advertised or when they fail to prevent a breach. Infosec lawyers bring suit on behalf of the injured party or defend these kinds of suits. Government agencies may file actions to impose penalties against companies experiencing data breaches. Infosec lawyers representing the affected business defend these actions.

Third, lawyers spearhead investigations. With the help of forensic experts and information security professionals, they can respond to a security incident to find out what happened and who may have been responsible. Having an attorney lead the investigation helps protect communications about the incident with the attorney-client privilege.

Fourth, lawyers are involved in drafting information security-related agreements and data protection exhibits or addendums that are part of a larger agreement. Vendor management is a key function in today’s world, both for customers procuring products or services and for providers trying to close sales. Big companies are almost universally establishing security requirements in their agreements with vendors. If vendors can’t meet these requirements, they won’t get the business. Lawyers are the ones who help draft these agreements, exhibits, or addendums and help negotiate them. Lawyers help vendors to close deals that bring in revenue while controlling their legal risk. Lawyers help customers by maintaining security requirements in negotiations that vendors might try to water down.

Finally, lawyers help businesses establish a program of data protection and governance in businesses. They draft, edit, and comment on security policies, procedures, and subordinate documentation. Yes, security professionals write a lot of this documentation, but having a legal review of the documents is important to make sure what they say is consistent with agreements and other legal documentation and positions taken by the business. Any discrepancies may create legal risks for the company. Also, lawyers help identify compliance and risk management-driven security controls that security professionals can integrate into a security program. Without that legal review, security professionals may miss something.