Cybersecurity & Data Privacy
RELATED EXPERIENCESHOW MORE
Data, Risk, Response
Protecting the confidentiality of your company’s data and the integrity and availability of your information systems is one of the most challenging aspects of managing an enterprise’s cyber risk, whether for public or private organizations. Brown Rudnick’s Cybersecurity and Privacy practice team counsels clients on ways to protect their business in cyberspace, and, when an incident or breach occurs, to position them to be able to detect, respond and recover as quickly and effectively as possible.
At Brown Rudnick, we have built our cybersecurity practice on information security principles traditionally used by military and intelligence agencies in the national security realm. We then overlay these information security concepts on top of commercial and legal approaches to the issues facing our clients. Our approach is built upon the principles that underlie information security broadly speaking, which includes data privacy issues as one significant aspect.
Our cybersecurity practice is led by Guillermo Christensen, a partner in our white-collar investigations team. Guillermo has extensive national security experience with the US Government, including multiple assignments as an intelligence officer with the CIA. He then went on to a policy focused position as the Science and Technology Advisor to the OECD for the US State Department. In London, Anupreet Amole is responsible for the UK and EU components of the practice. Our team draws on a range of other lawyers with direct experience of issues relevant to cybersecurity, and includes a former California State Attorney General, former senior DOJ prosecutors, the former NY Branch Chief of the SEC's Division of Enforcement, and the former Head of Enforcement for the UK Financial Services Authority.
Positioned to Assess Cyber Risk
Because our approach to cybersecurity is broader than a traditional data privacy practice, we can more effectively help our clients understand their vulnerabilities and the threats they face. Our experience dealing with crisis response, in multiple contexts, is valuable for advising clients whether before a cyber incident (“left of boom”) or during a breach (“right of boom”). We are also well positioned to work closely with a select cadre of cybersecurity technology specialists to provide informed risk assessments for our clients. These risk assessments in turn drive priorities for technological security and the manner in which a business should most effectively deploy its resources, including work force, to address cybersecurity.
Human Factor is Paramount
We also know from extensive experience (in both national security and legal practice) that the human factor is central, indeed core, to information security. This is just as important as the technological aspects of cyber defense, and for many companies it is that human link which is weakest. Our view is that effective cybersecurity requires a mix of technology and software, appropriate training, risk governance, and creating a culture of security within a company, particularly at senior levels.
We have long understood that there is no perfect defense in cybersecurity. We therefore strive to help our clients focus more on early detection, response and recovery. But detection, response and recovery demand a more comprehensive approach to enterprise risk than the traditional defense-centric mindset. In particular, this places a premium on meaningful engagement by senior management, including in-house and/or external lawyers, to address both prevention and the handling of crises once (unfortunately not 'if') a cyber incident occurs.
Legal and Regulatory Enforcement
Technology and more connected business systems are driving cybersecurity risks; at the same time, there is a growth in the related regulatory and legal requirements that apply to businesses in various industrial sectors. The role of in-house and outside legal counsel in cybersecurity is central to the management of this enterprise risk. This is particularly so given the rapid development of legislation in many jurisdictions aimed at imposing cybersecurity standards and breach notification obligations upon companies. Many of these laws, such as the New York Department of Financial Services regulations on cybersecurity, require comprehensive information security programs that go far beyond response plans for data breaches. The NY Regulations, along with the EU’s General Data Protection Regulation (GDPR) also impose tight notification deadlines for companies becoming aware of incidents – placing a premium on prior planning and preparation.
Protecting Legal Privileges and Effective Incident Response
The heightened risks of government enforcement and litigation also raise the stakes for companies and counsel to ensure they follow the right process in each case -- in particular being attentive to protecting legal privileges.
Effectively managing the company's response is vital to avoid making a bad situation even worse.
Core Elements of Our Service Offerings
Cybersecurity Risk Assessments
We advise clients on their risk profile and their existing cybersecurity programs. Working closely with experienced cybersecurity service providers, we help clients design and implement a cybersecurity program from the ground up or to fine-tune an existing program. Many such assessments can be scoped around well-defined fixed fee engagements.
Board Level Engagement
Our team helps boards and c-suites work through an enterprise risk management approach that fits their culture and industry, to frame a discussion that ensures the company’s internal and external resources are being used effectively. We draw upon our broad sector experience to provide the benefit of situational awareness in an area that is rapidly changing.
Implementing a cybersecurity program through written information security policies and procedures aimed at securing a company’s cyber assets is a complex undertaking. Regulators understand the value of a cybersecurity program and some, like the New York DFS, require covered entities to adopt these plans as an early benchmark for compliance. Our team has deep experience in advising clients on compliance with corporate policies and procedures. We know that the value of a security program is not in a check the box compliance exercise but in implementing a tailor-made, risk based approach that evolves over time.
We help clients to implement training programs from basic level to advanced, and tuned for all levels of the company from officers, directors, staff, as well as outside third parties. Our training programs are usually built around a risk assessment and implementation of a cybersecurity program to ensure each element reinforces the others.
Incident Response Planning
Being prepared for an incident takes advance planning, practice, and requires a solid playbook. Working closely with specialists in the technical and media relations fields, we guide clients toward incident response plans that fit their organization, including using 'war games' or table top simulations to train team members on how to implement the plan.