Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

August 2018
For lawyers who focus on cybersecurity, there’s a wealth of resources.
Ruth Hill Bro first joined the American Bar Association shortly after she graduated from the University of Chicago Law School. She began playing an active role at the urging of a mentor at the law firm she joined, which is now part of Holland & Knight (she was later a partner at Baker & McKenzie). Already interested in privacy and technology in the mid-1990s, she led a CLE program on the topic at an ABA Annual Meeting. Soon afterward, she founded the ABA E-Privacy Law Committee and later became an original member of the group’s Cybersecurity Legal Task Force, which she now co-chairs. “I have worn, and still wear, a lot of hats in the ABA,” Bro says. Over the years, she’s seen the association’s attention to cybersecurity grow exponentially, mirroring the scope of the threat. She’s also helped it  develop resources that ought to benefit nearly any legal department.

CyberInsecurity: We hear so much about the challenges for women who work in tech. But there seem to be a lot of women lawyers who are working on cybersecurity—at least at outside law firms. Do you have the same sense that a good many women have found their way into this area of the law? 
Ruth Hill Bro: If the numbers I see in the American Bar Association are any indication, a lot of women are practicing in this area. For example, in the ABA Section of Science & Technology Law (SciTech, as we like to call it), half of the chairs in the past decade have been women. I chaired SciTech in 2008-2009 and went on the officer track when I was pregnant with the first of my two daughters. The two women chairs before me also went on the officer track when they were having children. People who attend SciTech’s annual Internet of Things (IoT) National Institute continually comment on how diverse our speaker panels are. In the institute’s first year, an article called “The Women of Cybersecurity” spotlighted this. We are seeing this diversity in our audiences as well.

CI: Why do you think this is happening?
RHB: SciTech creates a welcoming environment, where someone with great ideas and drive can go a long way quickly. And we’ve had many SciTech leaders who have championed diversity. When my term ended, I served as Membership and Diversity Committee chair for seven years. Beyond SciTech, the entire ABA values diversity and inclusion. It’s one of the organization’s core goals. Half of the ABA presidents in the past decade have been women; in fact, the last three have all been women.

CI: Are there also challenges for women lawyers who want to work in this area?
RHB: This area of law is challenging in that you need to spend a lot of nonbillable time keeping up on the ever-changing issues, which can make it harder to achieve that ever-elusive work/life balance. On the other hand, it’s an exciting area, the stuff of media headlines, so it’s fun to keep up on the issues (and doesn’t always feel like you’re working). There’s less of a glass ceiling, because the area is new and constantly changing, and the need for attorneys with expertise is growing quickly.

CI: Are there networking groups aimed at this corner of the profession?
RHB: The ABA has a wide range of groups that address data protection issues from a variety of disciplinary perspectives (technology, litigation, intellectual property, health law, business law, etc.). The Cybersecurity Legal Task Force that I co-chair pulls together all of these perspectives to provide an impressive breadth and depth on the legal issues. Half of the SciTech section’s committees, including the 10 in the Privacy, Security, and Emerging Technology Division, address different aspects of these issues. I always recommend SciTech to anyone who wants practical insights and perspectives on where things are going. When you get involved in the section, you discover that it’s a little like the TV show “Cheers,” where everybody knows your name, and they’re always glad you came.
  Other networking groups include state and local bar association committees and the International Association of Privacy Professionals, among others. It’s heartening to see the numbers of lawyers and business people focused on these issues increasing every year.

CI: Let’s turn to in-house lawyers for a moment. Are corporate law departments hiring more lawyers these days specifically to focus on cybersecurity?
RHB: There is an uptick in in-house hiring, given the rate at which cybersecurity issues are growing. Many of my contacts are senior in-house legal counsel or the chief privacy officer. This trend began several years ago, but it has picked up speed. In large companies, it’s common to have attorneys who focus on this area. In smaller companies, it’s one of several areas for which the attorney is responsible. If you don’t have someone in Legal who is responsible for this area, then you’re probably not addressing the issues in the way you should, especially as we’re seeing these issues affect the C-Suite, SEC disclosures and company reputations, which are easily cracked and not easily mended.

CI: What kind of background do these lawyers generally have?
RHB: In-house and outside counsel on data protection issues come from a range of backgrounds. There’s IT and e-commerce, because technology is driving many of the issues, and outsourcing has significant data protection issues. You find labor and employment, because technology has transformed the workplace. You also see consumer protection, compliance and sector-specific backgrounds in areas like health care and financial services. This range reflects the range of issues.

CI: For in-house lawyers, what are some of the cybersecurity challenges you anticipate in the coming year?
RHB: Well, I’ll give you four. Let’s start with data breaches. Companies are attractive targets for hackers and cyber terrorists, and they need to know how to prepare for and respond to them. Then there are contracts. Companies need to do their due diligence in working with third-party vendors, and they need to address data protection issues in M&A as well. A big one this year will be working to comply with continually emerging laws and regulations in all 50 states, at the federal level and globally (especially in the EU). And finally, as always, they need to keep up with the latest cyber threats and changes in technology: What’s coming up next, and how can you be an effective issue spotter? Is the company building privacy and security protection into the products and services it’s developing (privacy by design, security by design)? It’s much harder and more costly to play catch-up—or to fix problems under the glare of public scrutiny following a cybersecurity misstep.

CI: What are some of the resources the ABA has created to help lawyers grapple with the challenges of cybersecurity?
RHB: For many years, the ABA has offered a wide array of webinars and in-person programs in the form of CLEs and conferences, as well as books and articles. The ABA Cybersecurity Task Force has also been quite active, developing a cybersecurity vendor checklist , producing webinars and publishing the 2018 edition of “The ABA Cybersecurity Handbook.”   There are also many more resources on the ABA’s website, particularly on the SciTech   and Business Law pages.

CI: Do you have to be an ABA member to avail yourself of these resources? 
RHB: Being an ABA member definitely is an advantage, as you get access to some amazing resources that aren’t available elsewhere. (Nonlawyers can join the ABA as associate members.) Some great ABA resources, however, are publicly posted for free on the website.

CI: Do you believe that all in-house lawyers ought to know something about cybersecurity?     
RHB: These days, every lawyer should know about these issues. As consumers, we should also have a better understanding of these issues, because of what’s at stake: our data, the security of our homes that are increasingly internet-connected, etc. It’s hard to identify any area of the law, or life, that is not affected by technology. Regardless of the area in which you practice—corporate, litigation, labor and employment, intellectual property, etc.—you need to understand how rapidly changing technology affects your area of practice. That’s one reason I’m a member of SciTech, because it keeps identifying the next big thing.
  Recognizing how critical the advances in technology are, the ABA’s Ethics 20/20 Commission updated the Model Rules of Professional Responsibility to emphasize that lawyers need to keep up on technology developments as they affect their duties of competence (Rule 1.1), confidentiality (Rule 1.6) and so on. Ever-increasing cybersecurity threats led the ABA in 2017 to issue Formal Opinion 477R, on Securing Communication of Protected Client Information, to update prior guidance on transmitting client-related information over the internet. The opinion referred to our Task Force’s 2013 edition of “The ABA Cybersecurity Handbook.” These days, what attorney doesn’t use the internet to communicate about client matters?
There’s less of a glass ceiling in legal work related to cybersecurity because the area is new and growing quickly.
In-house hiring has brought in senior legal counsel and chief privacy officers.