For Lawyers, RSA Security Conference is a Hot Ticket by Patience Haggin

25/04/2015 15:09

SAN FRANCISCO — Every year since 2002, Cooley special counsel Randy Sabett has spent a week at the RSA Conference. RSA is the world's biggest security conference, and it's long drawn tens of thousands of professionals—engineers, risk managers, executives, entrepreneurs—to share threat scenarios and security strategies surrounding the world's vast and increasingly connected systems and data stockpiles.

Sabett said he's seen a growing number of lawyers at the conference each year, a trend that has only accelerated after a few high-profile breaches made cybersecurity the hot practice area of the moment. "There's a lot of people practicing [cybersecurity law] now, but there's a core group of us who have been doing it for a very long time," he said.

This year the conference coincided with congressional efforts to offer a liability shield to companies that share security concerns with each other. The bill, which passed the House of Representatives on Wednesday, was front-of-mind for attorneys at the conference.

The measure comes at a time when companies are starting to buy up cybersecurity insurance to give themselves a parachute in the event of a breach—and their counsel are eyeing cybersecurity insurance policies as the potential next requirement for any company with a store of sensitive data. Cybersecurity insurance boomed into a $2 billion business after the attack on Sony Pictures late last year, for the first time attracting even companies that don't interface directly with customers, The Hill reported.

General liability policies usually exclude coverage for cybersecurity breaches—and have been expanding those exclusions in the past few years. Some breached companies, such as P.F. Chang's, have ended up fighting their insurers in court to get breach coverage out of a general liability policy. Panelist Tracie Grella, AIG's global head of professional liability, said she didn't know of any litigation testing a cyberinsurance policy.

Paul Ferrillo, counsel at Weil, Gotshal & Manges in New York, told the cyberinsurance panel that the liability protections afforded by the bill wouldn't diminish companies' need for—and interest in—cyberinsurance. Instead, he predicted that participation in information-sharing would become another hallmark of good cybersecurity hygiene.

"Information sharing, I think, is a very important measure of having your eye on the ball," Ferrillo said after the panel. He predicted that insurance companies would look favorably on companies that participated in information-sharing, and that it would provide another way for companies to "stop drinking and smoking" in order to get a policy.

"I think the attempt with the liability protection is to have a bit of a carrot that will allow companies to be more comfortable sharing things," said Sabett, who counsels clients on cybersecurity compliance out of Washington. Hackers often attack one company, then use the same vulnerability on another within two to three days, so a rapid-fire sharing system could prove quite valuable in helping other companies ward off attacks.

Today most information-sharing occurs through industry-specific exchanges, called Information Sharing and Analysis Centers, or ISACs. The FS-ISAC, which serves the financial sector, has become a kind of gold standard for these, according to Richard Struse, chief advanced technology officer for the U.S. Department of Homeland Security's Cybersecurity and Communications Integration Center, who spoke on an RSA panel.

Another headache for global companies is the constellation of different privacy regulations in different jurisdictions. Some countries, such as Austria, have ostensibly onerous regulations, but no real enforcement, said James Halpert, a DLA Piper partner and co-chair of the firm's global data protection practice.

"Both on cybersecurity and privacy, there are virtually hundreds of requirements if you do business in 30 countries, and you probably can't comply with all of them. So figuring out the 80/20 rule is essential to assess risk," Halpert said.

Contact the reporter at

Read more: