So far, our blog has tackled issues of ediscovery: forms of data production and why CISOs should care about ediscovery. But another aspect of our blog is “cybersecurity law” or “information security law.” (I will use the terms interchangeably.) The question naturally arises: what is information security law? Also, what do information security lawyers do?
People are familiar with traditional areas of law, such as contracts, criminal law, and corporations. They are also know of areas of law practice like civil litigation, technology transactions, and mergers and acquisitions. Some law firms have practice groups that provide a large variety of services for a single industry. Examples include groups focusing on construction, entertainment, and transportation.
Likewise, some law firms have “data protection” or “information security” groups. These groups show that cybersecurity is a new practice area for lawyers and law firms. Also, information security law is a new area of law. And in yet other ways, information security is an industry focus. This post discusses all of these dimensions of information security law.
Information security, as a new area of law, includes a number of components. First and foremost, information security lawyers counsel their clients on requirements to keep data and information systems secure. These requirements may stem from public law (statutes and regulations) or private arrangements made via contracts. Infosec lawyers help clients answer the key question: What does my company really need to do to comply with infosec requirements under applicable law?
Second, infosec law addresses liability that arises from security breaches or defects in security products or services. Parties injured by a security breach may sue to seek damages or an injunction against the parties responsible for the breach. When the perpetrators are unable to be found or it isn't worth suing them, injured parties may sue others who allowed the breach to occur or failed to stop it. Companies purchasing security products or services may sue their vendors when the products or services don't work as advertised or whey they fail to prevent a breach. Infosec lawyers bring suit on behalf of the injured party or defend these kinds of suits.
Third, infosec law covers secure electronic commerce. Secure electronic commerce answers questions such as:
• How do parties form contracts online?
• Are online contracts treated the same as paper contracts under the law?
• What must a person or business do to authenticate that person or business to another party online?
• What must be done to tie an individual or business to an online transaction and hold that party accountable?
• What can show that a person has agreed to an online transaction: an electronic signature, a secure form of electronic signature, or a digital signature?
Secure electronic commerce systems or programs may, for instance, establish a trading community in which a large organization can procure products or services from its vendors. E-commerce lawyers counsel clients concerning ways to establish secure e-commerce systems, the interplay between background law and contracts involved in establishing these systems, and liability concerns arising from e-commerce activities.
Information security law, in addition to being an area of law, is also a law practice. Lawyers from a variety of traditional practice areas may work in the information security area. For instance, lawyers specializing in government regulatory matters may advise clients on federal or state statutes that impose infosec requirements. Attorneys working in government affairs in Washington or state capitols may become involved in lobbying efforts for or against new infosec legislation, such as the federal breach notification bills. Litigation lawyers are likely to be the professionals handling disputes arising from security breaches. Finally, members of technology transactions groups are often the first lawyers called in to counsel clients seeking to engage in secure e-commerce, although technology attorneys with the specialized skills needed to provide in-depth advice have created a distinct sub-specialty within the technology transactions umbrella. But in addition, some lawyers with deep information security expertise can assist other lawyers across the board in various practice areas when cybersecurity issues arise.
Finally, information security lawyers focus on a particular industry: the information technology industry. In the future, law firms may have groups to address the specific needs of vendors of information security products and services. For now, infosec lawyers need to develop deep IT experience and exposure to clients that depend on IT for their operations and sometimes their entire livelihood. Infosec lawyers cultivate contacts among IT professionals, and infosec professionals in particular. Servicing clients' infosec legal needs is a multi-disciplinary endeavor, and lawyers are creating fruitful partnerships and relationships with outside and in-house technical experts. Lawyers in the infosec field simply cannot perform their jobs alone. They require considerable assistance from experts with the technical expertise to provide comprehensive advice to clients.
In sum, information security is at once a new area of law, an area of practice, and an industry focus. As with new areas of the law in the past, attorneys practicing cybersecurity law are those who have experience in allied areas of law, who have practices touching on a number of traditional practice areas, and who have IT and infosec technical expertise. The mix of technical and legal issues, the need to work with multi-disciplinary teams, and the novelty of the field challenge information security lawyers, but make for a fascinating area of the law.