By James Nicodemus
The cyber attacks that the Cybersecurity Act of 2012 cautions against might sound like the plot of a new “Mission Impossible” movie, but for in-house lawyers at a wide variety of companies, such concerns soon might be unavoidable.
“We are in the midst of a tidal wave of cyber security legislation for many industries, and we have a standard of care that is emerging,” said Andrew Schlidt of Whyte, Hirschboeck, Dudek in Milwaukee.
The proposed federal Cybersecurity Act, which was introduced Feb. 14 by a bipartisan group of senators, could require companies that own or are responsible for potentially vulnerable “covered critical infrastructure” such as power grids, nuclear facilities, water resources, stock exchanges, financial transactions and satellite communications to dramatically ramp up their cyber security levels and undergo rigorous compliance obligations.
A co-sponsor of the legislation, Sen. Susan Collins, R-Maine, said action needs to be taken now because 85 percent of the nation’s critical infrastructure is owned by the private sector.
As such, Schlidt, who represents a wide array of corporate clients as chairman of the technology law group at his firm, said practitioners should look at the proposed legislation inclusively. In five years, he said, such regulations could be the new standard for a variety of industries.
“We will see this standard of care put to the test on a regular basis,” he said. “It will be how these companies and their legal counsel, and even their service providers, put policies and processes into place to comply with regulatory mandates, mitigate damages, allocate risk, communicate with the government about threats and receive threat information that could impact their companies.”
Lawyers who do not pay attention to the emerging standards could be viewed as negligent in the near future, Schlidt added.
“It won’t be acceptable for these covered infrastructure companies or their service providers to turn the other way and ignore these threats,” he said. “Law firms that don’t address these issues with their clients could be in breach of their ethical duties.”
The proposed legislation and potential concerns will be part of in-house counsel’s changing role, said Shubha Ghosh, a law professor at the University of Wisconsin.
“Forty years ago, law students were told that if they wanted to be effective corporate attorneys, they needed to know something about business,” Ghosh said. “Now, [corporate counsel] has to be a technologist, as well.”
That will require being familiar with and understanding the internal mechanisms of the corporation, its technology, and how it is serviced and maintained, he said.
“There’s an old saying that the purpose of a corporate counsel is to keep the company out of trouble,” Ghosh said. “With the threats and risks we see from cyber terrorism, it will take additional diligence to keep them out of trouble.”
Much of that risk directly is tied to information of threats and how quickly companies can respond, said Leezie Kim, a corporate
attorney who previously served as a deputy general counsel in the U.S. Department of Homeland Security.
Kim said she is confident utilities and other covered companies already are working hard to put processes into place and erect cyber security perimeters to protect computer systems and the nation’s critical infrastructure. The threats are real, she said, as should be lawyers’ concern.
“This is a big national security issue,” she said. “As lawyers, we all have to do our part.”