The recent data breaches at Equifax and Yahoo have legal professionals on high alert. An upcoming Thomson Reuters webinar on cybersecurity developments will spell out exactly what lawyers need to know about how these recent cyberattacks affect legal teams, and, more importantly, how to secure valuable client data and proprietary information from hackers and malware.
As an attorney, you may now be liable to help set up your clients’ policies, procedures — or lack thereof — and defend them in cases where those mandates come under scrutiny, according to upcoming webinar panelist Joel Wuesthoff, a JD, CISSP and senior director of consulting solutions at Robert Half Legal. Wuesthoff will participate in a webinar entitled What the Latest Cybersecurity Developments Mean for Legal Teams, on Monday, October 23, at 3:00-4:00 p.m. EST. Other panelists will include Ian C. Ballon, a shareholder at Greenberg Traurig, LLP, and Jeff Sanchez, managing director of technology consulting at Protiviti. The panel will be moderated by attorney Charles A. Volkert, senior district president of Robert Half Legal.
The Legal Executive Institute blog spoke to Wuesthoff, who is based in New York City, and asked him why a cybersecurity webinar is needed so much now.
“We’re well past the tipping point with respect to security of corporate and personal data,” Wuesthoff says. “If we were to go back 10 years or more, we saw a similar tipping point around e-discovery. Judges, lawyers and IT people were trying to figure out how to approach technology in litigation. That led to, and followed decisions around, ethical and professional responsibility and competency.”
Lawyers typically think their job is simply to look at their clients’ legal positions and argue the law. However, these days, attorneys need to have a better understanding of how client data is stored, where it’s stored, and even need to understand the “nerdy” data retention architecture. “Is client data stored on the cloud? Where is our social media data and how do we retain it?” Wuesthoff asks.
“We’re at the next level: How do we protect the data we have, and our clients have, and converse with IT teams? How do we talk to our consumers and employers about legal rights and responsibilities?”
Most attorneys are familiar with requirements related to email retention, Wuesthoff says, but now “we’re at the next level: How do we protect the data we have, and our clients have, and converse with IT teams? How do we talk to our consumers and employers about legal rights and responsibilities?”
He cites a case involving Qualcomm and Broadcom in which the judge referred half a dozen attorneys to the bar, alleging the lawyers didn’t do an adequate job advising clients on securing their data properly. “You can’t just tell your client not to delete emails. As a lawyer, you can’t just delegate that duty to your clients — you must stay far more engaged,” he explains.
For example, a new California state ethical opinion laid out areas in which lawyers need to be competent related to technology, he notes. “If a manager gets sued by an employee for discrimination, and the manager destroys all the emails, the corporate lawyer first needs to tell the manager, ‘You can’t do that. Get your emails back. These are your duties.’ If the attorney later finds out that the manager actually did destroy emails, even after legal told him not to, now the attorney has the duty to tell the court that the client did so.”
Wuesthoff, for his part, re-engineered his legal career in 2002. A graduate of Vermont Law School, he stopped practicing law and earned the designation known as Cybersecurity Information Systems Security Professional (CISSP). Granted by a group called ISC Squared, the CISSP is a specialty in electronic data and privacy. “In the early days of lawyers and tech, lawyers just had to find emails. Now, they have a duty to understand cybersecurity to counsel their clients and help protect their data,” he adds.
Wuesthoff joined Robert Half in 2010 and oversees the Robert Half Legal’s data protection practice. “When a corporation says, ‘We’ve been hacked’, or ‘We need to get on this regulation,’ I have a team of technical lawyers and non-lawyers who can help comply with the regulations. Or we might do a health diagnostic on the company’s information security,” he explains.
“Today, legal teams have to understand what malware is, what are phishing attacks, and varieties of other attacks, and inform their client as well. Depending on the scenario, a company where a data security breach occurs will likely be sued and investigated. The counsel for any company now has to understand what they didn’t do and whether it was reasonable in the context of today’s regulations.”
Click here to register for the upcoming webinar, “What the Latest Cybersecurity Developments Mean for Legal Teams”