Cybersecurity Forum

[BNA]

Starting a post-J.D. masters program in cybersecurity from NYU Law and Tandon Engineering, and I'm looking for discussion on information privacy compliance and client advice. Hard to find dedicated practitioners. Most I've talked with spend most of their time in corporate/sec.

[haus]

My gig is mostly been focused on incident response.

This brings me into contact with my orgs privacy team frequently for both operational issues and for planning/policy issues as well.

[sgd19]

Is there a lot of work in this area? Seems like you wait for some crisis to happen and then respond. Or is there more proactive legal work here?

[haus]

Is there a lot of work in this area? Seems like you wait for some crisis to happen and then respond. Or is there more proactive legal work here?

I have been in IT for over a quarter century, the last dozen years I have spent in specifically InfoSec. I have seen growth in the legal tie-ins to both IT and InfoSec. This is especially true in gov and highly regulated industries. The most dramatic is the use of attorneys in breach response teams (often these teams are outside hired hands specializing in incident response... e.g. Stroz Friedberg), more boring, but more predictable are an increase of jobs in policy/procedure for internal work as well as reviewing plans/contracts with external partners/vendors/customers (any groups needing significant data sharing), also I am seeing more interest to have attorneys directly on teams dealing with managing PII/SI (think conforming to law/policy/contracts in storage, movement, and use of, as well as dealing with the the clean-up along side the incident response team when something has been exposed).

[helloscriptkitti]

I worked in Cybersecurity b4 attending a T14 and I'm back in cybersecurity 2 yrs after graduating (long story). There is definitely a lot more overlap between legal and cybersecurity than there was when I first started (in 2004), especially in highly regulated industries like Financial Services and healthcare. I work in healthcare where the HIPAA Privacy and Security regulations are being heavily impacted by the digitization of medical records and services. I'm in a non-legal role and am officially a member of the cybersecurity team (information security risk mgmt), but I interact with the in-house counsels and compliance attys on a constant basis. Because the attys are not technically-inclined, my technical + legal knowledge allows me to serve as an advisor and intermediary between the legal, business and technical teams. Not only am I involved in writing a lot of cybersecurity policies, but I also assist them with contract review from an information security risk perspective and conduct third-party risk assessments on the vendors that the organization contracts with, evaluating them from a technical, legal and business risk perspective. Additionally, in the event of a data breach, I have had to write incident reports and conduct assessments to determine whether the incident or breach warranted reporting to the govt based on HIPAA compliance requirements. This is something that the Compliance Attys would not be able to do on their own because they are more focused on the Privacy aspects of HIPAA (more procedural and policy-based), rather than the security side (more technical).

I can only see the dependencies and overlap between cybersecurity and law continuing to expand at a very rapid pace and across many different disciplines and industries. A lot of those positions will probably be focused on risk management, because let's face it, attempting to minimize risk is pretty much all you can do in the cyber world. It's usually not a matter of if an organization will be attacked, but when.

[Lesion of Doom]

^ Thank you for that response. I'm very interested in this area and have pursued some coursework to that end — seems to be the Wild West in some respects.

That said, how would you assess the realm market by market? I'm headed to NYC and presume there's less HIPAA-type work available, but I'm curious if the policy side is available there and not only security.