In episode one of this two-part series, host Charles Volkert, executive director of Robert Half Legal, and industry experts, Thomas Barnett, Rocco Grillo and Joel Wuesthoff, examine data privacy and security issues that are demanding the attention of legal and IT teams across industry sectors. Learn about the particular risks law firms and legal departments face and the prevention strategies legal teams and their IT counterparts are implementing.
Listen to part two of the program here.
Thomas Barnett, Special Counsel, eDiscovery and Data Science, Paul Hastings http://www.paulhastings.com/professionals/details/tombarnett
Rocco Grillo, Managing Director, Global Leader, IR & Forensics Investigations, Cybersecurity & Privacy Services, Protivit http://www.protiviti.com/en-US/Pages/Professional-Bio-Rocco-Grillo.aspx
Joel Wuesthoff, Esq., senior director, consulting solutions, Robert Half Legal http://www.roberthalf.com/legal/client-services/ediscovery-services/team/our-leadership-team/joel-wuesthoff-esq
Charles Volkert, Esq., executive director, Robert Half Legal http://www.roberthalf.com/legal/client-services/ediscovery-services/team/our-leadership-team/charles-a-volkert-iii-esq
Advertiser: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession relating to hiring, staff management, and more. With leading experts in the field, Robert Half Legal provides lawyers, paralegals and support staff, to law firms and corporate legal departments on a project in full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.
Charles Volkert: Hello everyone and welcome. I’m Charles Volkert, executive director of Robert Half Legal, and the host of today’s two part program on cybersecurity. It’s a topic that’s increasingly demanding the attention of business executives across industry sectors, especially within the legal workplace. A report issued last year by McAfee and the Center for Strategic and International Studies, estimates that cybercrime costs the global economy more than $400 billion annually. IBM just released a study that found the average consolidated total cost of a data breach is $3.8 million. That’s a 23% increase since 2013. Nearly one in five lawyers interviewed by Robert Half Legal for its future law office research said that data security and privacy issues will have the greatest impact on the practice of law during the next five years. As data breaches become more frequent and sophisticated, it’s no surprise that identifying risks and implementing prevention strategies has become a top priority for legal organizations. Joining me today to discuss these issues and share their best practices are Thomas Barnett, Special Counsel, eDiscovery and Data Science at Paul Hastings. Rocco Grillo, Managing Director, Global Leader, IR & Forensic Investigations, Cybersecurity & Privacy Services with Protiviti. As well as Joel Wuesthoff, a senior director with Robert Half Legal’s consulting solutions practice. Welcome to the show to each of you and maybe start with you Tom and share a little bit of your background at Paul Hastings.
Thomas Barnett: Sure, thanks Charles. I’m a special counsel in the office of general counsel with my firm called Hastings, and in that capacity, I lead a group of data scientists and technical specialists, and we deal with handling client data, analyzing them and using them in the course of different investigations, litigations, and compliance engagements. I’m also a member of our firm’s data security and privacy practice group, and in that capacity I advise clients in the course of data breach different kinds of incidents, as well as compliance and consulting offerings where we help create plans and responses to future potential incidents.
Charles Volkert: Thanks, Tom, great to have you with us. And Rocco Grillo is with us, can you share a little bit of your background and expertise, Rocco?
Rocco Grillo: Sure, thank you, Chad. As you mentioned earlier, my role at Protiviti, I’m in our cyber security and privacy practice and I oversee our global incident response and forensics investigations. And to that end, as you can imagine with everything that’s going on in the industry, we’ve obviously been busy responding to some of the most high profile breaches that you’ve seen in the industry. We’re helping clients respond to many of these breaches. A lot of our time also is devoted to proactive assistance of clients more from an advisory standpoint. What are things companies can be doing to not only prevent but also respond to breaches. So we get to the point where we’re way past the point of not a matter of if but when companies have gotten their arms around the idea that it’s inevitable. And having a mature incident response plan – not only a mature plan but a mature that’s tested, and at the same time plans that go through preparation are things that we’re helping clients with. So again, working in that capacity, not only responding and helping clients respond to a breach, but also providing them with proactive advisory services.
Charles Volkert: Great, thanks for joining us today Rocco. And Joel Wuesthoff?
Joel Wuesthoff: Yes, Chad. So my role at Robert Half is a senior director. My portfolio, since I’ve been involved, typically covers the range of events that are triggered by either some type of compliance or litigation, namely particularly in the data security and privacy needs our practice has grown substantially. My background as a practicing attorney and a CISP in the security space, I’ve been involved in that space for about 15 to 20 years. Our practice, Like Rocco’s, takes a look at the data breaches and privacy issues from both a forward looking and backward looking perspective, identifying areas where we can support our clients and the firms like Paul Hastings in developing a practice strategy to identify roles, responsibilities, protocols, and response teams as well as downstreamed mitigation of potential shareholder liability suits, regulatory investigations, or related investigations where you may have some type of exposure or intellectual property leakage. So our practice covers a fairly broad range of information governance aspects, particularly as C-Suite individuals are broadening the responsibilities they have with respect to the topic we have today.
Charles Volkert: Well that’s great, Joel, thank you, and thanks again to each of you for joining us today on this very timely and important discussion. So let’s jump right into it with some questions for you all to take our listeners through and get your perspective. A number of serious and well publicized data breaches have brought significant attention today to security management during the past several months. And maybe, Rocco, you can kick us off and help set the stage for our discussion today and talk about the possible repercussions of data breach.
Rocco Grillo: Sure. One of the biggest things we come across is the unknown when you’re involved with a lot of these investigations. There’s times that companies may have been alerted to an incident or the potential for a compromise itself. And in many instances, companies find out that they’ve potentially been compromised in a number of ways. We typically boil it down in three different ways. The first is a company has an incident response plan. They’ve got controls and monitoring solutions in place that help them identify that they’ve potentially been compromised or had incidents going on. It’s not the best thing in the world to identify that you’ve been compromised and have to escalate to your management that we’ve been compromised. A second way that companies find out they’ve been compromised is they get the proverbial call from law enforcement that as part of law enforcement investigation, in many instances a larger investigation that affects multiple parties and organizations. They’ve been identified as a company that has been compromised. A third way that companies find out is from either their customers, business partners, or worse, from the media. And the third way, there’s obviously never a good thing. When we get calls from a client in any of those scenarios, the main ways that companies find out about a potential incident our compromise need to get to the bottom of the matter. And that’s why in many instances, companies need to absolutely have an incident response plan, and almost the way you have a business continuity or disaster recovery plan. Have this plan in place that should the incident occur or the suspicion of an incident, you’re able to carry out this plan. Really, it’s a playbook to identify what’s happened and then really get to the nuts and bolts of responding to the incident or breach itself.
Thomas Barnett: From the legal perspective, while all of that is happening, the actual incident and the response from the technical side that Rocco discussed, there are a whole bunch of legal triggers and issues that have to be dealt with and use calm, fast and furious in the context of an incident or a breach. They include potential for lawsuits, for civil damages. There can be state and federal law enforcement actions. There can be responses from customers or investors, from employees. Any or all of these things are possible and they can all happen simultaneously. So it’s really important to have your arms around the potential risks and the potential sources of different obligations that you have. Many things are triggered by the fact that you’ve had a breach or an incident. There’s different notification obligations like managing the customers and employees. There might be law enforcement requirement notifications and third party providers. There’s so many different things that can happen so fast that it’s really important that you think these through in advance and have a plan worked out between coordinating with the technical response team that Rocco was talking about. So these things need to be coordinated and emphasized like Rocco said. These plans and responses need to be worked out in advance and rehearsed because you can’t start figuring out what to do in the middle of a crisis. There’s so many moving parts. So many allegations are different. They’re conflicting and you have to juggle that. You have to know when to notify law enforcement, when it makes sense, when you have to, when you have to notify investors and how to notify them. All of these things happen very quickly and the ramifications for how you respond can be very extreme. So you need to be aware of all these things and to think them through and know exactly what needs to happen when an event actually occurs.
Joel Wuesthoff: Let me pick up on what Tom was just talking about. I think some of these triggers and some of the developments in the marketplace around these well publicized and recent data breaches have led to some very interesting developments. I’ll mention four. There was a recent US Court of Appeals decision noting that the FTC can use the Unfair Practices Act to challenge data security lapses. So that was a fairly anticipated decision that may or may not represent a c-change with respect to the way that these data breaches are enforced, investigated, evaluated, potentially sanctioned. The second piece is some of the things we’ve seen develop on the legal side that we may get into a little bit later around model rules of ethics and professional responsibility where something like 29 states in the District of Columbia issued comments to the model rules that attorneys should take reasonable precautions to prevent unauthorized access to client communications. The third and the fourth one relate to industry developments that come out of the two comments that Rocco and Tom mentioned was various industry groups developing guidelines to assist companies in this regard. The ABA has them, Rocco I think, and Tom will talk about some of the other ones. The Sedona Conference has a new privacy information security paper specifically for law firms and legal service providers. And then you have the Financial Services Information Sharing and Analysis organization. It’s kind of a mouthful, but it’s an initiative that came out of financial services that intend to share information more proactively about breaches. So all of these start to underline the fact that this top of mind for both outside counsel and C-suite are compliance individuals, privacy professionals, and general counsel’s office.
Charles Volkert: That’s great, all three of you certainly laid the framework for our discussion. What particular security risks do law firms and legal departments face and what roles should legal teams have in developing and communicating as well as assisting to enforce those policies for organizations? Maybe, Tom, you can take the lead on this with your law firm background.
Thomas Barnett: Sure, thanks Chad, and those are two very important questions. The first is really what is the role of the law firm itself or the legal department as a target, the risks that it takes. And then, how can the law firm and the legal department help in the overall enterprise, either the client or the company itself with enforced policies. So let’s talk first about the risks that the law firm or the legal departments face. If you think about the role of a legal department or a law firm it’s advising a company, it’s certainly large companies, global companies, any companies. They’re involved in some of the most confidential, important, sensitive information that a company deals with. Whether it’s lawsuits going on, allegations of different things, whether it’s back and forth, potential deals, mergers acquisitions, problems that the company has. Most of this stuff will almost necessarily flow through the legal department. And for law firms that represent companies, that kind of information exists at the law firm. So for people who actually target trying to intrude into a company to get information, they have learned that law firms and legal departments are very, very rich sources of important information. And therefore, they had become more and more targeted in recent years. And as a result, law firms, the type that have that kind of information – and it is important to make that distinction that a law firm can be anything from one person to a global organization with thousands of lawyers in it. But from the kind of law firm that deals with corporate matters, it’s very, very important to address these issues because they have become a very important target for people who engage in these kinds of activities. And typically, until recent years, law firms have not really been aware of this threat, maybe in the same way that very, very high profile global companies were, because they’re very public, there’s a lot of talk about them as entities and groups of people protest companies and certain industries and so on. But in recent years, law firms have become much more aware of the fact that they’re a target and have begun taking measures to try to protect themselves in the same way that the companies do. I think legal departments are the same thing. In a company ,there’s various levels of importance of information or sensitivity, let’s say. And certainly, the legal department is on the very high end of the sensitivity and importance of information. And because you can’t necessarily protect all of your information in the same way to try to quantify what’s the most sensitive, what’s important, what level of protection do we put on that information. The law department within a corporation needs to be considered to be one of the most significant targets. As far as the second part of the question, what role should legal teams and law firms have in developing plans and enforcing policy in an organization, I believe it can play a very, very significant role because they understand the legal implications that can happen from a breach and need to be working hand in hand with the technical resources with people that actually respond to the technical side to the breach as well as help create the response plans. So none of these plans make any sense unless they’re coordinated together because of the need to notify different parties, whether again it’s customers or investigators or law enforcement or the public in certain cases. Coordinating the timing of that with other activities, how you discuss the status of the breach, what’s going on, and also playing the role and putting in place processes and policies that help you prevent breaches or respond to them. So I think the legal department and outside counsel, if they have experience like this, can play a critical role in coming up with a successful response plan, preventive measures, and incident response.
Joel Wuesthoff: I’d like to pick up on Tom’s discussion about that role, and I think this is what he’s saying: it really needs to be a proactive role. This is a non delegable duty on outside counsel, certainly on shareholders to come forward to talk about the duties to be able to bridge the gap on the subsidiaries of law and translate those areas into achievable objectives that make sense to the business units such as counsel, CFOs and CEOs. Historically, that has been not necessarily a comfortable role, at least on the technical side for attorneys. So I think as you’re starting to see the duties of competency and ethics extend to this particular area, and it’s maybe more difficult as data starts to move to the Cloud and starting to talk about concepts such as possession and control. I think the dangers for the breach of attorney’s’ professional obligations can be significant. So I really think that underlines the fact that lawyers need to be highly knowledgeable about data security laws, compliance regulations, legal requirements, and surrounding preservation reduction. And if they’re not, I think of the recent California ethics opinions, to associate themselves with somebody or to engage with somebody who can help from outside law for them to navigate those issues.
Rocco Grillo: What I’d like to add even further into that is the point of some of the technology pieces. Much is we’re focusing on legal. The intersection between legal and IT, legal plays a critical role in responding to a breach. But at the same time, while these may start from a technology issue that quickly evolves to the legal or business side of things, really need that intersection between legal and IT and it’s the partnership between legal and IT to really tackle many of the breaches or even the response to it. Again, when you look at the response plan, Tom earlier named a handful of different stakeholders that need to be proactive in this instance. The preparation around it, having that mature plan includes having the appropriate stakeholders. Not only their involvement, but the people that are as stakeholders need to know their responsibilities. So it’s a combination of both the IT side of the house, the legal side of the house, and the overall business embrace together and it’s truly a partnership and tackle on this.
Charles Volkert: I think those are great points by all three of you. And just to highlight the comment you were making, Rocco, at the end with this intersection between legal and IT, we were meeting with a general counsel of a Fortune 1000 company two weeks ago. He stated that he has a standing call every single day with the CIO of the organization to handle new issues in and around information governance, records management, data breach and security issues. So that just goes to show you and really exemplifies the point of that constant communication and that intersection that we’re seeing. Let’s go ahead and take a quick break before we resume.
Advertiser: To find, hire, and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that could adapt to changing workload levels, realize significant cost savings, and improve the overall management of Human Resources. We offer a wide range of resources to assist hiring managers at job candidates; including our annual salary guide, industry leading workplace research, and valuable interactive tools. For more information, call us at (800) 870-8367, or visit RobertHalfLegal.com
Charles Volkert: Welcome back to the Robert Half Legal Report. With us today are Tom Barnett, Rocco Grillo, and Joel Wuesthoff talking about data breaches and cybersecurity. Let’s move on and I wanted to talk a little bit more about the fact that legal departments typically have significant resources and expertise within their companies to manage the security and integrity of the privileged information they maintain. On the other hand, how are law firms addressing that challenge? And again, not to put you on the spot, Tom, but maybe you can kick us off with your thoughts there.
Thomas Barnett: Sure, Chad, no problem. One of the things that’s interesting about the question is we talk about privileged information, and lawyers of course are very familiar with the concept of communications between lawyer and client that are protected to the privilege or other protections. One of the things that law firms are starting to come to grips with more is that they’re all sorts of different kinds of information that need to be protected as well in addition to privileged information. There’s client sensitive information, there’s personally identifiable information, there are different data security and privacy obligations associated with different countries if the firm is a global practice. One of the things I think is really important for clients to think about when they’re retaining their law firms or assessing the law firm’s capabilities is how many resources and what kind of attention do they pay to these kind of things. As I mentioned earlier, a law firm can be anything from one person, a handful, up to thousands of people. Different clients, different obligations, different resources to bring there. So I think it’s a really important point for companies to consider this when they assess their existing law firms or think about bringing on new law firms. What kind of resources and what kind of attention have they been paying to these issues. This is something that I think has really been developing in recent years and one trend that I’ve seen certainly in my firm and other large global law firms is that there are professionals whose whole responsibility is related to data and information security and they specialize in keeping track of what’s going on in the firm, whether there are any attacks, what’s being done about them, and keeping up with all the technology that’s available to help prevent them. So monitoring activity within the firm’s network, accessing third parties, and working with the lawyers both on internal issues and dealing with client communications. One of the challenges for any law firm of any size is that there’s data coming and going from all different sources constantly from different companies across the country or potentially across the world. That data needs to be assessed and screened to make sure there’s nothing coming in that could be harmful. There’s also many, many people with different levels of access and input into the firm. The challenge is not insignificant, but because of the attention that clients are paying to this and potential risks, law firms are devoting a lot more time and resources to this. At my firm, Paul Hastings, we have a data security and privacy legal practice in which we advise clients on incident response as well as compliance and preventative measures. But we also are part of the technology committee for the whole firm, so we deal with the issues related to our own proactive measures and how we prevent and mitigate risk within the firm.
Joel Wuesthoff: I think to Tom’s point, I think we’ve certainly seen the significant uptake at Robert Half of clients calling as for temp and perm positions in the broad privacy security space. More often than not, quite different skillsets, but we’ve certainly – and Tom gave a good example – seen law firms from ediscovery attorneys with technical background start to morph into cyber security practice groups or combine those practices with each other. I think over the last couple of years, proactive or somewhat proactive law firms have built groups around people who can bridge the gap in the fields that we’re talking about. So what I’ve seen is new positions emerging in the legal field relating to security and privacy, privacy officers, privacy compliance officers, privacy managers, analysts, data governance directors. Those types of roles have emerged fairly recently, I think, to specifically address the cyber security issues that we’re talking about today.
Rocco Grillo: I was going to go further to that. One of the things is as much as we’ve spoken about the critical role that legal places here, the idea of a certain privilege at the onset of an engagement or in some instances even prior to that, we’ve worked with a lot of law firms when we’re providing advisory services to clients from a proactive standpoint and either build on their incident response program, or even more so as I mentioned earlier, test the plan. Tabletop exercises are simulated exercises. While we can have a plan, how effective is it? And we walk through an actual simulated exercise as if the company were under attack. And in that instance, we find out how strong our incident response plan is, as well as where are areas that need to be enhanced or improved. In some instances, we may find something that we don’t necessarily want to disclose. So it’s not just the actual breach or investigation itself. In many instances, we’re seeing more and more companies take these exercises, even if they’re proactive, put them on their privilege right away. Because again, we want to protect the findings of those exercises or more importantly, during the course of an investigation, we want to make sure that information’s privileged and we protect the findings.
Thomas Barnett: I think Rocco makes a really great point and I’d like to emphasis even beyond that. So in addition to the planning and the tabletop exercises, which I think are essential, what I’m seeing more and more – and some of our clients are more willing to go through this – are really active tests where everybody involved doesn’t really know it’s an exercise. So you need to get to a certain point where you can do that. But if you really want to test something, you test it in a way where it’s not obviously just a test and you see how people respond. That’s one of the ways you know whether you’re really prepared or not. Given the significance of the threat, we talked about the three-point something million dollar cost average per incident. The costs are there, the risks are there, the PR risks, reputational risks, stock price risk and so on. So these are very, very serious issues and I think they’re well worth considering have the kind of testing where you really put people on the spot of responding without just knowing it’s a rehearsal.
Charles Volkert: Well, maybe, Rocco, you could pick up on the comments that all of you are talking about and talk a little bit about what some effective strategies are and what they should or how they should be employed when addressing data security and privacy matters.
Rocco Grillo: Sure. Well, I think one of the first pieces, something we hear time in and time again is the tone at the top. While a lot of these breaches are IT in nature or start from an IT perspective, we’ve seen the high profile breaches. It doesn’t necessarily need to be a high profile breach but it immediately impacts the business. We’ve seen senior executives and other leadership roles lose their position as a result to some of these breaches. we’ve seen regulators step in, we’ve seen loss of reputation, we’ve seen legal issues, we’ve seen other types of business impact that really is the result of the compromise itself. So I think one of the pieces that needs to be looked at is what are the key assets, what are we ultimately trying to protect. We’ve heard cybersecurity and we’ve heard having all the right controls in place. But ultimately, what is it that we’re trying to protect? And I’m going to give you a couple of things in parallel. While we want to have an incident response plan in place that’s mature and tested and so forth, we need to know what are our critical assets. Many of the executive management teams or firms or even the board of directors want to know not only do we have a mature plan to respond to the breach, but what are our critical assets or the proverbial crown jewels. Once we identify those crown jewels, in the event that they are compromise, how mature is our response? How effective is it in the sense that we want to recover from this compromise? How do we mitigate the damages and the blow and the impact on the organization? I think those two pieces go hand in hand. Not only having a mature plan, but also identifying what our key assets are and being able to recover quickly in the event that they’re compromised.
Thomas Barnett: Rocco again makes a really good point and I’d like to further it in the sense of what the law firm can do both from its own perspective but also in advising clients. There are a whole bunch of different uses for information in a company, obviously. We’ve been talking about it from the perspective of protecting sensitive information that could be breached and publicized or used for nefarious purposes. One of the things that companies are doing more and more and need to do but they struggle with is how to organize their data just generally. There are many different demands on data that happen, and we find that dealing with companies in the context of government investigations or lawsuits is that sometimes companies have difficulties identifying where information is exactly, who’s responsible for it, how long will it be kept, is it overwritten, is it preserved, is it backed up. Understanding your data overall, where it is, how long you need to keep it, is all of your data subject to your records retention program. All of these things are part of having your arms around the whole problem. Getting breached and having data stolen or misused or misappropriated is one aspect of this. But the really, really, main different aspects of the way it’s used and what we see are companies who aren’t prepared for the security aspects are typically also not prepared to respond in an effective and timely matter in responding to government inquiry or a lawsuit. Those issues can also present significant risks and expense to a company.
Joel Wuesthoff: And I’ll just mention one more thing. I think as much as we talk about the need for technical competence, this is as much an organizational change or change of management problem that we’re dealing with. And to use an analogy, I guess one that people are more familiar with: We get on calls many times with legal and IT, which goes back to Rocco’s comments about the potential in legal and IT and the IT tail is wagging the legal dog. And by that, I mean the IT has sighted something and they want a specific technology, and legal is going to make their decisions based on whatever IT decides is the best choice for the IT department. I think that we need to recognize that IT comes at the enterprise with the goal of improving business performance, the quality productivity of the data, the searchability, improving policy enforcement, creating securability and the lawyers are focused on risk management and preservation and proper use of data in the context of investigation from litigation. So there’s a little bit of a disconnect there that I think ultimately is going to make these initiatives – if a company chooses to go down this path – critical in terms of managing the expectations, ensuring that everybody is on the same page as to what the objective is and what the problem is that needs to be solved.
Rocco Grillo: Joe, I’ll add further to that. One of the key pieces of an incident response plan that initial fades that they’re easy to overlook. Preparation. All too often, we’re ready to jump into an investigation, look for a containment and so forth. But that preparation up front can’t stress how important that is. It’s not an IT or a legal weed on it, it’s that partnership that I mentioned earlier. And the whole idea is not to do this in an ad hoc manner each time there’s an incident or a potential compromise or a compromise itself. It all comes down to being prepared and having a repeatable process. You can’t take this on in an ad hoc manner. We’re never going to have a crystal ball and be able to predict the future of what type of attack or incident or compromise we face. But at the same time, that incident response framework needs to be strategic in the sense that it’s a repeatable process and we go through that framework step by step up to and including the end of the investigation or the exercise itself. In a lot of instances, everybody wants to get back to a normal business operation and resume what we were doing. Nobody’s happy about going through a breach or that they’ve been compromised, but there are a lot of critical lessons learned that are involved and there’s some things that may have gone well. And as I’ve said earlier, there’s some areas that may need improvements or enhancements. These are some things that we really need to do from a preparation standpoint and it all starts with partnering as to what are the things that needs to be done, who’s involved, and even further to that, everybody knowing what the responsibilities are.
Charles Volkert: So, Rocco, aside from legal and IT, who else should be part of a risk management and response team and what are some of the key factors that should be addressed in a comprehensive security plan?
Rocco Grillo: That’s a great question, Chad, and as much as IT and legal typically lead these investigations, one of the first ones that needs to jump out there is executive management. People that are running the company from a governing standpoint absolutely need to know what’s going on with their company, especially if it’s affecting the outside world. Whether it be regulators or business partners or their actual customers or clients themselves. As much as executive management governs the company, PR and crisis management, there’s a lot that’s going on in investigation from IT to legal to executive management. May not be the most opportune time for someone in executive management to make a public statement. So for that reason, public relations and crisis management need to be part of this process. Another one that’s easy to overlook is HR. You don’t know if it’s an internal employee, and it doesn’t necessarily need to be the irate or malicious employee. It could be an employee that did something unknowingly. And at the same time as much as they did it unknowingly, they may be violating corporate protocol or something along those lines. And to that extent, you want to have HR involved. Another easy one to overlook as much as we talked about keeping this information contained, getting legal involved, keeping it privileged, are end users. Our employees, especially the ones that our clients are facing. Not necessarily that we want to tell them every finite detail, but at the same time, they need to be armed with information, whether it’s an FAQ on what can be shared or who they can be referred to. The last way our end users or employees want to find out is through our customers or even through the media without knowing about it. You can imagine how awkward or even embarrassing that could be is if the outside world knows and someone in a cross center at a retail location is finding out from a third party that their company themselves had been compromised. On the outside, we talked about outside counsel. Having context with law enforcement, a lot of times when we do these public briefings, we encourage companies to establish relationships with law enforcement agencies. Not necessarily to just bring them right in, but scrim one through a rolodex or searching for a contact in law enforcement in a middle of a crisis isn’t the best time to look for a contact. Incident handlers and forensic investigators, they’re another key one. Even further to that, private investigators in a lot of instances, you may need to engage third parties to conduct the actual investigation for you themselves. Those are not all of them, but a bulk of the many different stakeholders that should be involved.
Thomas Barnett: Rocco gave a really, really good list. I’ll just add one or two that I think pertain to that. One of them is the folks in organizations responsible for the management of records and information in a company. So companies might have records management professionals. They can go by different names, and the folks that are responsible for making sure that the important information in a company that constitutes its records as highly confidential information as corporate records and so on are aware of what their role is. And to Rocco’s point, everybody doesn’t need to be involved in every aspect of the plan, but there are many different people who will help you execute it. Or if they don’t understand what’s going on can hinder your execution of that. So that’s another group. I’d also say that there are certain representatives from different business units. One of the things we find in responding to incidents or in the context of investigations or subpoenas or criminal actions is that if you have a situation where there’s just one person designated or a small number to deal with everybody, it’s really difficult to get the information you need in a timely manner because they’re really starting from scratch with the other people. So I think it’s really important to think through who the designees from different business units are, who should know about the fact that there is a plan that there are obligations and things that have to happen at the last moment. Again, these things don’t come with an invitation or an advance warning, they just happen so you want to think through this at the time. So having people within the different areas of business that the company works in, at least someone from those different areas who knows what they’re supposed to do and who they’re supposed to contact and how to get involved.
Joel Wuesthoff: I’ll add one more, it may have been covered by Rocco or Tom, but we’ve been retained in the past by audit committees and more and more auditing to general counsel’s office in terms of their access controls. And so what has been interesting trend for us to watch is the re engagement or engagement of senior members of the audit committees understand better the risk exposure that the company has and particularly the level of access that various members of the firm may have that may create exposure to the firm or weaknesses or gaps in their security protections. So that’s been an interesting development beyond our traditional offers or internal audits around ediscovery and related issues to impact cyber risk insurance. The other thing that I think Tom keyed up at the beginning is there’s always a risk of litigation testifying. So certainly, employees need to understand that part of that risk management response team will be a recognition that downstream there may be a need for a deposition or some type of testimony or affidavit or representation as to what was done. And that’s where certainly the privilege, the nature of the contract and keeping things privileged and confidential to the extent possible and appropriate is a key part of making sure that there’s a proper flow of information, before, during and after these events.
Charles Volkert: Well, we’ve reached the end of our program. Special thanks to Tom Barnett, Rocco Grillo and Joel Wuesthoff for joining us today and providing their expertise and insights. Before we close, I want to let the audience know how they can contact each of you. Tom, could you provide the listening audience with your email address?
Thomas Barnett: Sure, thanks Chad. So it’s [email protected]
Charles Volkert: Great. And Rocco?
Rocco Grillo: Sure, thanks, Chad. It’s [email protected]
Charles Volkert: Thanks, Rocco. And Joel?
Joel Wuesthoff: Sure. My email is [email protected]
Charles Volkert: Again, thanks to each of you. And our listeners can reach me at [email protected]. I’d also like to mention a few professional privacy and security associations that offer educational resources, information, and best practices to help firms and companies better manage technology risks. The first is the International Association of Privacy Professionals, the AIPP. The second is the Information Systems Security Association, or ISSA. And the third is ABA’s Privacy and Information Security Committee, and the ABA Cybersecurity Handbook, a Resource for Attorneys, Law Firms, and Business Professionals. You can also visit RobertHalfLegal.com to learn more about our legal consulting solutions. Download our research and subscribe to our legal blog for weekly updates on ediscovery, the legal job market, and other important industry developments. Thanks for listening today, and join us next time on the Robert Half Legal Report for part two of our cybersecurity discussion.
Advertiser: The views expressed by the participants of this program are their own, and do not represent the views of, nor are they endorsed by, Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Thanks for listening to this podcast. Robert Half Legal connects the most highly skilled candidates with the best positions in the legal profession. join us again for the latest information in the latest edition of the Robert Half Legal Report, here on the Legal Talk Network.
[End of Transcript]