Data, Risk, Response

Protecting the confidentiality of your company’s data and the integrity and availability of your information systems is one of the most challenging aspects of managing an enterprise’s cyber risk, whether for public or private organizations. Brown Rudnick’s Cybersecurity and Privacy practice team counsels clients on ways to protect their business in cyberspace, and, when an incident or breach occurs, to position them to be able to detect, respond and recover as quickly and effectively as possible.

At Brown Rudnick, we have built our cybersecurity practice on information security principles traditionally used by military and intelligence agencies in the national security realm. We then overlay these information security concepts on top of commercial and legal approaches to the issues facing our clients. Our approach is built upon the principles that underlie information security broadly speaking, which includes data privacy issues as one significant aspect.

Our Team

Our cybersecurity practice is led by Guillermo Christensen, a partner in our white-collar investigations team. Guillermo has extensive national security experience with the US Government, including multiple assignments as an intelligence officer with the CIA. He then went on to a policy focused position as the Science and Technology Advisor to the OECD for the US State Department. In London, Anupreet Amole is responsible for the UK and EU components of the practice. Our team draws on a range of other lawyers with direct experience of issues relevant to cybersecurity, and includes a former California State Attorney General, former senior DOJ prosecutors, the former NY Branch Chief of the SEC's Division of Enforcement, and the former Head of Enforcement for the UK Financial Services Authority.

Positioned to Assess Cyber Risk

Because our approach to cybersecurity is broader than a traditional data privacy practice, we can more effectively help our clients understand their vulnerabilities and the threats they face. Our experience dealing with crisis response, in multiple contexts, is valuable for advising clients whether before a cyber incident (“left of boom”) or during a breach (“right of boom”). We are also well positioned to work closely with a select cadre of cybersecurity technology specialists to provide informed risk assessments for our clients. These risk assessments in turn drive priorities for technological security and the manner in which a business should most effectively deploy its resources, including work force, to address cybersecurity.

Human Factor is Paramount

We also know from extensive experience (in both national security and legal practice) that the human factor is central, indeed core, to information security. This is just as important as the technological aspects of cyber defense, and for many companies it is that human link which is weakest. Our view is that effective cybersecurity requires a mix of technology and software, appropriate training, risk governance, and creating a culture of security within a company, particularly at senior levels. 

We have long understood that there is no perfect defense in cybersecurity. We therefore strive to help our clients focus more on early detection, response and recovery. But detection, response and recovery demand a more comprehensive approach to enterprise risk than the traditional defense-centric mindset. In particular, this places a premium on meaningful engagement by senior management, including in-house and/or external lawyers, to address both prevention and the handling of crises once (unfortunately not 'if') a cyber incident occurs. 

Legal and Regulatory Enforcement

Technology and more connected business systems are driving cybersecurity risks; at the same time, there is a growth in the related regulatory and legal requirements that apply to businesses in various industrial sectors. The role of in-house and outside legal counsel in cybersecurity is central to the management of this enterprise risk. This is particularly so given the rapid development of legislation in many jurisdictions aimed at imposing cybersecurity standards and breach notification obligations upon companies.  Many of these laws, such as the New York Department of Financial Services regulations on cybersecurity, require comprehensive information security programs that go far beyond response plans for data breaches. The NY Regulations, along with the EU’s General Data Protection Regulation (GDPR) also impose tight notification deadlines for companies becoming aware of incidents – placing a premium on prior planning and preparation.

Protecting Legal Privileges and Effective Incident Response

The heightened risks of government enforcement and litigation also raise the stakes for companies and counsel to ensure they follow the right process in each case -- in particular being attentive to protecting legal privileges.

Effectively managing the company's response is vital to avoid making a bad situation even worse.
 

Core Elements of Our Service Offerings

Cybersecurity Risk Assessments

We advise clients on their risk profile and their existing cybersecurity programs. Working closely with experienced cybersecurity service providers, we help clients design and implement a cybersecurity program from the ground up or to fine-tune an existing program. Many such assessments can be scoped around well-defined fixed fee engagements.

Board Level Engagement

Our team helps boards and c-suites work through an enterprise risk management approach that fits their culture and industry, to frame a discussion that ensures the company’s internal and external resources are being used effectively. We draw upon our broad sector experience to provide the benefit of situational awareness in an area that is rapidly changing.

Cybersecurity Programs

Implementing a cybersecurity program through written information security policies and procedures aimed at securing a company’s cyber assets is a complex undertaking. Regulators understand the value of a cybersecurity program and some, like the New York DFS, require covered entities to adopt these plans as an early benchmark for compliance. Our team has deep experience in advising clients on compliance with corporate policies and procedures. We know that the value of a security program is not in a check the box compliance exercise but in implementing a tailor-made, risk based approach that evolves over time.

Cybersecurity Training

We help clients to implement training programs from basic level to advanced, and tuned for all levels of the company from officers, directors, staff, as well as outside third parties. Our training programs are usually built around a risk assessment and implementation of a cybersecurity program to ensure each element reinforces the others.

Incident Response Planning

Being prepared for an incident takes advance planning, practice, and requires a solid playbook. Working closely with specialists in the technical and media relations fields, we guide clients toward incident response plans that fit their organization, including using 'war games' or table top simulations to train team members on how to implement the plan.

 

Our Team’s Relevant Experience

Advised a major UK-based defense company on cyber breach response involving confidential commercial data.  The matter involved incident response, disclosure obligations, liaising with relevant authorities, and advice on remedial measures

Represented US client in an investigation and remediation of a cyber incident under investigation by the US Government involving a sensitive US Defense Department contract

Counseled multiple public company boards on cybersecurity enterprise risks and mitigation and the implementation of new programs and policies

Trained C-suites, directors, general counsels and law departments on cybersecurity risks management for their enterprise.

Drafted and implemented information and technology control plans for cybersecurity for clients – in the energy and defense sector – for sensitive national security transactions

Assisted a client to mitigate impact of ransomware crippling critical business assets and key IT that were not adequately protected/backed up

Liaised between clients and law enforcement in the course of investigations involving incidents and breaches of information security systems

Assisted a client to mitigate and recover from loss of control over critical domains involving a cross-border hacker with a possible insider connection

Assessed the information systems and cybersecurity of target companies in acquisitions in the high technology and energy sectors

Managed complex forensic aspects involving data tampering in a cross-border investigation

Counseled leading non-US information and communications technology solutions provider dealing with US government concerns regarding national security of information systems

Prepared information security programs for an academic institution in the United States

Advised family offices on issues of confidentiality and reputation management arising out of numerous high-value disputes, cyber breaches, theft of documents and records

Represented and advised on a variety of telecommunications, network and software as a service matters, including cloud services, data privacy, interception of communications and representation at the Leveson enquiry into media intrusion (phone hacking) in the UK.

Cybersecurity & Data Privacy Group Leaders

Guillermo Christensen

PARTNER

Washington, DC | New York, NY

+1.202.536.1730

Anupreet Amole

COUNSEL

London, UK

+44.20.7851.6118

Mark A. Lubbock

PARTNER

London, UK

+44.207.851.6062