As corporate cybersecurity breaches become increasingly common, businesses are coming around to the realization that they need to take proactive measures to prepare for the inevitable.
All this has resulted in a turf war among different factions trying to be the first in line to help companies get their digital houses in order, and several L.A. firms – including legal powerhouses Latham & Watkins and Munger Tolles & Olson – are at the center of the battle.
Getting out in front of the problem can be costly, but companies are learning it costs more – both in fines and reputational damage – when increased regulatory scrutiny in the wake of a breach exposes lax security controls. Those expenditures come in addition to the cost of defending class actions and other lawsuits filed by affected customers, employees, and business partners.
High-profile attacks against Sony Pictures Entertainment and Target Corp. in the past several years have garnered national headlines, but scores of smaller breaches have also occurred and are increasing in regularity.
A report issued by state Attorney General Kamala Harris in February found there had been 657 data breaches affecting the personal records of 49 million Californians between 2012 and last year.
While formal federal legislation languishes, enforcement bodies including the Federal Trade Commission have issued guidance and 47 states have passed laws concerning data security. In California, consumer protection laws are particularly strong, and combined penalties and fines can approach seven figures – not including legal fees if they are fought, according to Sharon Klein, a partner in the Irvine office of law firm Pepper Hamilton.
“Where I see companies get hit with a host of fines and penalties is when a business just completely ignores (possible data breaches),” Klein said. “You really need to think about privacy and data security. It’s not an afterthought.”
Guidance issued by Harris in her February report reiterated state law requirements that businesses must use “reasonable security procedures and practices … to protect personal information from unauthorized access, destruction, use, modification, or disclosure.”
This environment has galvanized companies to set up more robust actions plans for data security. That means more work for people such as James Aquilina, the Century City-based head of digital forensics for Stroz Friedberg, an international cybersecurity firm headquartered in New York.
Expenditures vary widely by industry and business size. Some working in the industry said initial consulting costs for a midsize business can tally around $100,000 with $50,000 in yearly upkeep.
While Aquilina said there’s still some residual reticence from business owners about paying the upfront costs, that’s beginning to change.
“Companies are definitely spending more money,” he said. “I get a lot of panicked requests still because businesses are not fully equipped to handle a breach.”
Cyberbattles
Those dollars are up for grabs, and law firms such as downtown L.A.’s Latham and Munger Tolles are competing with traditional cybersecurity and investigative firms such as Stroz Friedberg and New York-based Kroll for clients, according to Jennifer Archie, a Washington, D.C.-based partner for Latham.
“When helping a business get ready for a potential data breach, there’s a lot of components and law firms are in direct competition with big investigative consulting firms,” she said. “A lot of it is about having dealt with a high number of incidents and knowing what to expect. You really need a lawyer on the front end to help shape the plan so you’re ready for a breach.”
Grant Davis-Denny, a Munger Tolles partner, said he views the relationship with traditional security firms as more collaborative, though he acknowledged that competition among law firms is fierce.
“A lot of different firms are trying to develop practices in this area,” he said.
While almost every major firm now has some sort of cyber- or data security practice, it’s still a somewhat nascent area of expertise, with staffing and branding varying from firm to firm. Latham has about dozen core partners who deal with cybersecurity issues intimately, but its data privacy, security and cybercrime team draws from a group of approximately 50 attorneys nationwide, including former White House Counsel Kathryn Ruemmler, who’s based in Washington, D.C.
Munger has a similar setup with attorneys specializing in different areas related to privacy and data security. Davis-Denny said the firm does both full-scale assessment work and takes on cases where they are dealing with individual issues.
“Some clients are looking for general advice and others have a specific incident that they need a response to,” he said.