In February, three North Korean computer programmers were charged by US authorities with conspiring to steal and extort more than $1.3bn in money and cryptocurrency from banks and other companies via state-sponsored cyber-attacks.
The plan, changing traditional perceptions of bank robbers, demonstrates that companies must do more to protect their digital assets from not just lone cyber criminals but whole nation states — and the steep cost of failing to do so.
Lawyers provide a crucial line of defense in assessing, managing and mitigating the legal and regulatory risks in the internet age, says Jamil Jaffer, founder and executive director of the National Security Institute at Antonin Scalia Law School in Arlington, Virginia.
“When a company has a breach, the first thing they do is call their lawyers,” says the director of the National Security Law and Policy Program, a concentration for LL.M. students keen on specializing in this dynamic field of law. It’s one of a wide range of options for law students today.
Jeffrey Dennis, a lecturer on the LL.M. in Privacy Law and Cybersecurity at California’s USC Gould School of Law, says attorneys can help in many ways, whether through conducting a risk assessment, or securing cyber liability insurance or mounting a litigation defense should a breach occur.
The threat of attacks has increased due to the coronavirus pandemic, highlighting the need for lawyers who specialize. More than a quarter of all cyber incidents detected in the UK in the past year involved criminals or hostile states exploiting the pandemic, especially in the healthcare sector. Pfizer and BioNTech said a European breach in December exposed their Covid-19 vaccines documents, for instance.
“The job is becoming harder, but also more interesting, due to the general advancement of technology and its adoption by companies all around the world,” says Aaron Ghirardelli, visiting associate professor at LMU Loyola Law School in Los Angeles.
The work is also becoming more interesting due to the increasing number of data privacy laws and regulations, he says. For example, European GDPR has created a framework that every company must follow, or risk penalties of up to €10 million.
Demand on the rise for attorneys with cybersecurity expertise
Over the past few years, a number of law schools have launched LL.M. programs in Cybersecurity Law. For instance, in 2018, New York’s Albany Law School launched an online LL.M. in Cybersecurity and Data Privacy Law. And last year, the University of Texas School of Law launched an LL.M. concentration in Cybersecurity as well. Other schools outside of the US, schools such as Canada’s Osgoode Hall Law School and the UK’s University of Manchester, also offer related programs.
LMU Loyola Law School’s Cybersecurity and Data Privacy LL.M. specialization includes a course specifically covering cyber risk management and incident response.
Demand is high but supply is short for attorneys with data privacy and cybersecurity expertise, says Ghirardelli, highlighting the need for education programs.
“More big firms are opening data privacy or cybersecurity departments,” he says. “More companies are hiring professionals in their in-house legal teams and there is a growing number of opportunities in the public sector as well.”
He points out that LL.M. students specializing in this field will have a distinct advantage over the competition. The Cybersecurity and Data Privacy LL.M. at Loyola Law School covers regulatory compliance, European cybersecurity, national security, internet law, privacy and intellectual property, important topics in this field.
On the LL.M., Ghirardelli says students learn not just from scholars but partners in big law firms and general counsels in major corporations who deal with cybersecurity and data privacy issues on a daily basis. “This will give students a unique opportunity to learn the law under a practical perspective,” he says.
What is making the job more difficult is the ever-evolving types and severity of data breaches, ransomware and malware, says Dennis at USC Gould, who is also head of the privacy and data security practice at Newmeyer Dillion, a law firm.
Lawyers in this field must be able to keep pace with, and adapt their strategies to, this ever-changing landscape, he says. “Data breaches bring a whole host of risks for companies, including reputational damage, loss of intellectual property, loss of consumer information, violation of applicable laws and regulations, even potential litigation.”
The skills needed to excel in cybersecurity law
Lawyers who excel in this field possess several key qualities, says Dennis, including the ability to stay current on cybersecurity threats, laws and trends, and the drive to proactively work with clients to establish cyber risk management programs.
They also need to understand that every company has a unique risk profile, he adds. “Great cyber attorneys recognize this fact, take the time to understand a particular company’s risks and risk aversion, and develop an appropriate program to effectively and efficiently meet the client’s needs.”
In addition, a data privacy or cybersecurity lawyer should be a leader in a globalized market, must understand the fundamentals of business law and entrepreneurship, and have strong collaboration skills, adds Ghirardelli at Loyola Law School.
“Companies might not understand the importance of proper data management and might consider this as an additional cost; a good lawyer will find the more appropriate way for his clients to incorporate rules and procedures,” he says.
Dennis adds that job prospects are excellent for new law grads in the privacy or cybersecurity field. “Law firms are looking for talented, hard-working attorneys who understand enough of the technology to be effective counselors in this space.”