Law firms setting up cyber specialties as attacks grow

Thomas Franz
BridgeTower Media Newswires

Data breaches might look like fodder for headline news or primetime television, but lawyers warn that the legal drama that can unfold following an errant keystroke is real and increasingly common.

When it comes to tracked data breaches, the United States hit an all-time high last year with 1,093 reported breaches. This is a nearly 40 percent increase from 780 documented cases the previous year, according to a study released in January by Identity Theft Resource Center in San Diego and CyberScout in Scottsdale, Arizona.

As more and more individuals and businesses fall victim to violations of cybersecurity — from losing a computer containing confidential information to downloading a crippling virus — some law firms have expanded their practices to create cybersecurity specialties, while others have reported an increase in computer-related business.

“The practice in our firm has grown quite a bit,” said Claudia Rast, an attorney and shareholder at Butzel Long in Ann Arbor. “In cybersecurity specifically in the issue of breaches and reporting and specifically attacks on law firms and big companies, that’s grown quite a bit in the last couple of years. It’s a big part of my practice.”

Rast was on the ground floor of cybersecurity law in 1992, when she gave presentations on how lawyers can use the internet.

“Here was a new technology that typically we were in libraries using books, and all of a sudden this information was online and we didn’t have to go to big law libraries. I was going around showing attorneys how they can do research online when we didn’t even have a web user interface,” Rast said.

Colin M. Battersby, a principal at Miller Canfield in Detroit and a co-leader of the firm’s Cyber Security and Data Privacy Team which was formed recently, said his firm’s cyber team has grown considerably in a short amount of time. Miller Canfield has 14 lawyers on its cybersecurity team.

“We were doing different things around the firm, and at some point about a year ago we said let’s pull this all together,” Battersby said. “We’re a relatively recent formalized practice team, but we’ve been doing this type of work in different spots for sometime well before then.”

Battersby said Miller Canfield’s cyber team assists clients in three primary ways.

“We have front-end consulting dealing with businesses and how they are securing their information and helping them implement policies and procedures to make that happen,” Battersby said. “We also help with incident response when there’s an active data breach, we’re on the back-end litigating that stuff when there’s either a civil litigation or a regulatory enforcement action.”

Evolving needs

Over the past 25 years, Rast has seen client needs change vastly in the area of cybersecurity law.

As technology has increased, so as the level of sophistication in attacks by hackers, Rast said.

“The early cases of cybersecurity focused mostly on retailers, where the bad guys were looking for information. It’s much more sophisticated now because you have different techniques trying to break into companies to get trade secret information or other kinds of intellectual property. We see a lot, especially near the end of tax season, when HR directors are targeted,” Rast said.

Battersby said there remains a need to make clients aware of the benefits preventative tactics provide to ensure protection.

“We see the needs that clients have as far as what they have to do to make sure they have a robust cybersecurity program. Those things are continuously evolving, but there’s still a challenge with getting clients to understand they need to take some preventative measures on the front end, doing the right things to make sure they’re set up to secure themselves,” Battersby said.

Battersby added that as companies become more digital, risk also increases.

“In large organizations with a lot of different people having access to information, there’s a lot of potential risk associated even with the most well-intentioned people making mistakes and biting on phishing emails and inviting malware into their operations,” he said.

“The needs are to have a good security program in place and training employees because a lot of cybersecurity incidents begin with an employee making a mistake and clicking on something they shouldn’t.”

Entering the field

In addition to having varying levels of experience in cyber law, Battersby and Rast each approach the subject with differing backgrounds.

Rast began her career in science and environmental law, while Battersby’s background is primarily in litigation.

Those perspectives allow them to see that there is not one specific route to becoming or hiring a cyber specialist, rather that skills associated with a lawyer’s background will assist them in training for cyber law.

“With my background in environmental and science, I tried to distinguish one contaminant to another. Those forensics kind of applied to the internet when it became necessary to understand pieces of data and the good, the bad, and malicious,” Rast said. “Attention to detail is key, along with the interest in focus in forensics and not be fearful of looking at many lines of code.”

Battersby agreed that an interest in the field is significant.

“I think what you really have to do is be interested in being in an area that’s evolving and that has a fair amount of uncertainty, and then enjoy the ride a little bit,” Battersby said. “I sort of fell into the data breach litigation that came up a few years ago. I thought this was very interesting stuff and it seemed like a natural fit.”

————
Th
omas Franz is the digital editor at Michigan Lawyers Weekly. He can be reached at tfranz@mi.lawyersweekly.com. Pepper Van Tassell and Gina Gallucci-White of BridgeTower Media Newswires contributed to this report.