For years, company executives shrugged at the risk of having computers hacked.
No more. In the wake of a series of major corporate computer breaches, especially an egregious one at Sony Pictures Entertainment in Culver City late last year, businesses are rushing for cover.
Companies that long believed they could avert risk by installing special software to block hackers have quickly learned that doesn’t always work, said Marc Maister, a partner at Irell & Manella who is heading the firm’s cybersecurity practice, which launched last month.
“I think everybody’s starting to realize that no matter how robust your system is, there’s a chance you can still have a data incident,” Maister said.
That realization has fed a boom in demand for legal help in the area, said Michael Overly, a partner in the downtown L.A. office of Foley & Lardner who focuses on intellectual property and privacy issues.
“It’s now incredibly easy for even unskilled people to hack others,” Overly said. “There are tools online that teach you how to compromise systems.”
In addition to the loss of proprietary or confidential information, hacked businesses can now face between $700,000 and $3.5 million to remediate damages from a data breach.
That, in turn, has fed corporate spending on cybersecurity and data privacy legal services, which is expected to hit $1.5 billion nationwide this year, up 8 percent from last year. That growth is nearly three times the next-fastest growing practice sector, according to a recent report by market research firm BTI Consulting Group.
Yet despite the demand for more legal services, firms are struggling to find qualified attorneys, said Kristen Eichensehr, a professor of cybersecurity law at UCLA’s School of Law.
“It makes sense to start preparing students for cybersecurity practices,” she said. “Businesses need lawyers who know about data breach law and other cybersecurity issues on a daily basis.”
Complicating matters, data security laws and regulations vary by state and country. And then there’s the technology.
“You have to be very familiar with technology and how it works,” Overly said. “It’s difficult to instantaneously say, ‘I’m going to be a cybersecurity lawyer next week.’”
Because of that complexity, Overly said he regularly puts his two engineering degrees to work.
“There are really a lot of superb lawyers in this area, but there are not thousands,” said Michael Gold, co-chair of the data privacy group at Century City’s Jeffer Mangels Butler & Mitchell. “Some lawyers are really very knowledgeable about privacy laws; on the other hand, I have not seen a lot of lawyers in this space who really have a handle on the technology.”
Indeed, Gold stumbled into the practice some 20 years ago.
It still doesn’t completely make sense to him that, as a young commercial litigator in the mid-1990s, he was approached by an international tech company. Intrigued by the opportunity, he took on the client and immersed himself in the complex world of technology – an industry he previously knew little about.
“I had a very big appetite to learn that area; not just the legal side of it, but the technology part of it,” he said.
Before long, Gold became the go-to guy when colleagues and clients first started complaining about hacked computer systems in the early 2000s. Then came the Sony cyberattack.
“The Sony hack was really a watershed,” Gold said. “People began thinking about ‘How long are we keeping e-mails we don’t need to keep? How are we storing information? How are we doing with our defense technology and are we doing it the right way?’”
The biggest challenge, he said, is that business owners and top executives don’t understand how much sensitive data their computers store.
“One question I like to ask my clients is: Can you tell me what your digital assets are?” he said. “They’re clueless.”
The first step to securing data, Gold said, is to identify the information stored, where it can be found and who has access to it. After that, companies ought to determine whether they truly need all of that data and purge any nonessential information.
At its core, he said, each data breach is the result of human behavior. That’s why a huge chunk of his work consists of developing updated policies with top-level executives that limit access employees have to confidential information.
“It amazes me that you can go into a company and person A’s secretary can look at person D’s stuff,” he said. “Why does he or she have a need for that?”