Cybersecurity lawyers do not provide oversight; they work actively to help secure the company’s networks. They also need support to develop robust cybersecurity legal practices, build individual expertise and mature our cybersecurity ecosystem.
By Kevin Motaroki
The amount of data out there for the taking is dizzying, with a slew of disruptive ransomware attacks rocking the corporate scene at a time of working remotely. While cybersecurity has become a priority for businesses over the past year, hackers too have become more skilled, which makes neglecting cybersecurity not just risky but reckless.
Creating pipelines to encourage lawyers to practice cybersecurity and privacy law for legal firms should be a priority. What skills do aspiring and practising lawyers need to stand out as cybersecurity experts?
One, a cybersecurity lawyer must have a strong base in cybersecurity laws. In Kenya, one needs to understand the Kenya Information and Communications Act 1998, the Computer Misuse and Cybercrimes Act, 2018, Data Protection Act, 2019, and Article 31 of the Constitution, among others. A cyber lawyer’s knowledge must also encompass an understanding of privacy laws and provisions, which impose requirements to ensure data security to enable it to remain private.
Tied to this, a cybersecurity lawyer needs to be aware of emerging legislation, not just react to laws and acts after they have been passed. This requires one to keep oneself updated with current news and be aware of provisions in important legislation and its applicability to different jurisdictions. This knowledge will allow clients to monitor what changes are likely to be necessary and plan accordingly, rather than apply impromptu changes. When caught in good time, it is possible for lawyers to work or consult with lawmakers to craft laws that are informed with industry expertise.
Knowledge of law and tech
Secondly, a cybersecurity lawyer must be conversant in legal and technological jargon. This way, they can translate legal requirements, for example, obligations imposed by certain provisions or regulations. A good understanding of the technical details allows one to ask probing questions, thrash out legal issues, spot inconsistencies, and translate risks to clients.
Thirdly, a good cybersecurity lawyer must understand the functions of different government agencies and how to leverage each. This is particularly useful if negotiating a contract that straddles private and public entities. In such a scenario, a strong grounding in national security laws can enable one to identify opportunities for corporations to access and leverage unique government data — as is often the case in public-private partnerships (PPPs).
Beyond their knowledge of statutes, cybersecurity lawyers should pivot their knowledge of cyber and national security laws to help their clients build relationships with key government agencies, such as the State Law Office, the Communications Authority, and the ICT Ministry. Such contacts can help establish and maintain close government relationships. Government agencies often approach law firms for law enforcement or regulatory perspectives, and strong prior contacts can be valuable.
Understand the litigation landscape
Fourthly, a cybersecurity lawyer must understand the national and international litigation landscapes. Court decisions may have a bearing on a company’s cybersecurity efforts. For example, the indictment of a telecoms CEO who failed to report a data breach may have important implications for a chip importing company. Another could be the significance of a court decision on whether a security report by an external auditor is protected under attorney-client privilege. A good lawyer needs to consider applicable decisions to advise and advise their client appropriately.
For company lawyers, it is necessary to be closely involved in internal audit and risk processes. For example, where a company contracts an external services provider to conduct a cybersecurity risk assessment, the company lawyer needs to have a strong role in that process. They could advise for the assessment to be conducted to minimize potential liability or whether the privilege is necessary to protect some operational aspects. More broadly, the cybersecurity lawyer ought to take a lead role in developing a corporation’s cybersecurity protocol, including how risks are documented, escalated, and resolved. This aspect also includes reviewing board decisions and communications to minimize misinterpretation, and limit potential liability.
Next, a cybersecurity lawyer must be an expert on contract clauses. This expertise comes in handy in many instances, including reviewing and negotiating hardware purchases, software licensing provisions, an organization’s agreements with security and other third-party vendors, including anticipating government views on different global corporations, which determine the scope and flow of business with multinationals. For example, if the government views a certain third party as a security risk, even if such a firm is not blacklisted, that could cause difficulties in the future. This is one area where knowledge of the regulatory space and robust relationships with government agencies prove valuable.
Finally, it is a good cyber lawyer’s responsibility to curate and own decisions on avoiding, mitigating, or accepting risk, often through insurance where appropriate. While insurance is a different legal ambit, a cybersecurity lawyer can advise the client on the scope and nature of any risk transference. Where an insurance policy is deemed appropriate, the cybersecurity lawyer must ensure the contract provides acceptable levels of coverage, in terms of the amount and scope that matches the client’s major areas of cyber-related liability risks.
While Kenya’s cybersecurity space has developed appreciably over the past several years, the practice of cybersecurity law is still nascent. Through personal efforts and company initiatives, lawyers need support to develop robust cybersecurity legal practices to build individual expertise and mature our cybersecurity ecosystem.