Legal Blog

Why Do I Need an Attorney for a Cybersecurity Issue

What is the number one issue keeping company directors up at night? Cybersecurity risk, according to a recent FTI Consulting survey.

This should come as no surprise to anyone who has followed the news over the past year, as high-profile cyber attacks occur with increasing frequency. Notetaking software suite Evernote, for instance, recently suffered a distributed denial-of-service (DDoS) attack, leaving customers unable to connect to its servers for hours. This, on the heels of the Heartbleed OpenSSL bug in April and Target’s catastrophic customer data breach last December (not to mention Edward Snowden’s highly-publicized NSA leaks), has generated widespread uncertainty regarding data protection and privacy matters in companies of all sizes.

Cybersecurity, it turns out, is not infallible—not even close. And its use presents several unfamiliar legal matters, such as compliance with national security requirements, civil litigation over data and privacy breaches, and corporate governance.

The bottom line: Even with a rock-solid cybersecurity system, you still need an attorney. Legal counsel can help you reduce your company’s cybersecurity legal risks.  Here are just a few examples:


Cybersecurity is inherently an information technology (IT) issue. Chances are your company already has procedures in place for collecting, storing, and circulating sensitive information. Make sure to keep these procedures updated, and with the help of legal counsel, make sure that processes are in place so that all employees follow the procedures to the letter. While companies devote the better part of their security resources counteracting external digital threats, oversight from within presents just as much risk. Do not neglect the obvious: employee negligence and theft.  A lawyer’s assistance in formulating employee control safeguards and enforcing them is often critical to their success.

Be careful not to rely only on preventative measures – though they are the first line of defense. Also, ormulate an incident response plan, so that you can follow a course of action in the event of an attack, leak, or disruption. Involve all stakeholders—management, IT personnel, lawyers, compliance officers, and human resources staff—because an incident can happen any time, in any department.

 Contractual Risk-shifting

Your company does not need to bear cybersecurity liability alone. Through shrewd contract drafting, your attorney can shift some of the risk onto vendors and customers, thereby sidestepping financial culpability and potential litigation.

First, get to know your cybersecurity vendors. What are their protective measures and information loss procedures? Is any IT outsourced, and what other parties are involved? Do your vendors have insurance? Ideally, contracts should include the vendor’s representations and warranties, as well as an indemnification clause that lays out which party is responsible should an incident occur.

Equal precaution should be taken with customers. A cybersecurity attorney can write your customer agreements to avoid implied guarantees of security, and limit possible disputes via forum selection, arbitration, and jury waiver clauses. These provisions dictate where and on what terms customers can pursue a claim against your company after a cyber attack or other data breach.

In the event of a cyber attack, natural disaster, or other event beyond your control, there is protection in the form of force majeure—Latin for “superior force”—a clause that frees your company, customers, and/or vendors from certain types of financial liability. Force majeure is especially useful in the cybersecurity industry, where many threats appear without warning.  Most force majeure clauses, however, are not written to cover a cyber breach.  Your lawyer can make sure that your clauses are drafted properly.

 Problem Resolution Strategy

When the unexpected does strike, an attorney should be on hand to minimize the damage and manage conflict. The first step is preempting litigation by keeping the lines of communication open. Notify customers of a breach and provide instructions for securing compromised data by, for example, changing passwords or taking servers offline.  Your lawyer can help guide you through the thicket of notice laws, which differ depending on the state in which you are located and the industry in which you do business.

Compliance matters should not be handled alone. Your attorney will help ensure cooperation with state and federal authorities during a breach or audit.

Once the dust settles after a hacker attack, your company should perform an internal cybersecurity investigation to find out how the breach occurred. Your attorney can limit access to the results of this investigation via attorney-client privilege, thus helping safeguarde the company in any ensuing lawsuits.

Cybersecurity is a critical sector of the U.S. economy, rife with unique opportunities and legal challenges. In response to this emerging industry, Offit Kurman has formed a specialized practice group of attorneys focused on addressing cyber issues and threats. For more information, visit our cybersecurity services portal, where you can also find cybersecurity news stories and articles written by our team of attorneys.

If you have any questions regarding Cybersecurity, contact Offit Kurman’s cybersecurity and government contracting attorney Edward Tolchin at:

Social Media Policy240-507-1769 |

Mr. Tolchin’s practice is focused on government contracting, cybersecurity, business litigation, and technology matters. In government contracting issues, Mr. Tolchin represents prime and subcontractors in contract negotiation and formation matters and in disputes involving both government and commercial business issues. He has been involved in procurement cases before many of the federal and state boards of contract appeal, Government Accountability Office, Small Business Administration, United States Court of Federal Claims, Court of Appeals for the Federal Circuit and other federal and state courts across the United States.

His Business litigation practice involves large and small matters in federal and state courts and before numerous arbitration panels. In the technology arena, Mr. Tolchin has assisted in disputes, licensing, and business development matters for clients ranging from startups to Fortune 500 companies.