• United States




Insider threat legalese

Apr 16, 20186 mins
Data and Information SecurityLegalNetwork Security

Understanding your lawyer’s perspective on insider threats...and three suggestions to help start the conversation.

3 legal law books
Credit: Thinkstock

 “No…it depends…I’ll have to get back to you.”

Does this epitaph of the corporate lawyer sound familiar?

[Insert your favorite lawyer joke here.]

Let’s face it, lawyers are not the easiest folks to deal with and the interactions are a little, and perhaps at times a lot, like hugging a porcupine.  Consequently, lawyers tend to be avoided at all cost, unless you need one, in which case you want the biggest porcupine you can find! Today, security managers are increasingly confronted with new regulations and liabilities that require interaction with legal counsel. Whether it be updated compliance regulations or new employment laws, the need for sound legal advice is omnipresent and on the rise.  

“I don’t want a lawyer to tell me what I cannot do;

I hire him to tell me how to do what I want to do.”

– J.P. Morgan

Interactions between security managers and attorneys were historically limited to corporate compliance and investigative matters. Since the traditional perimeter security model focused on external threats, most legal questions involved audits of existing measures and essentially a one-way proclamation from counsel that you were, or were not, within legal bounds (i.e. what you cannot do). The new focus on managing insider threats has changed this optic considerably. Effective strategies incorporate both technical and non-technical means designed to understand your workforce, obtain necessary visibility of their behaviors, and respond to threatening actions. Each raises important legal issues that require sound legal counsel and active collaboration.

Enablers and gatekeepers

Lawyer jokes aside, there are generally two types of lawyers – Enablers and Gatekeepers. Enablers view themselves as your partners and are always striving to get you to “yes.” They will work with you to understand your problem, then work towards developing a solution that allows you to do what you want to do. Of course, the corporate counsel’s duty is to protect the corporation, so the corporate equities will always remain first and foremost. That said, the Enabler will work within those confines and attempt to craft a mutually acceptable solution. Conversely, the Gatekeeper views themselves as the sole “protector of the organization,” which often turns into an adversarial relationship. They tend to draw solely from their own experience and are less inclined to take the time to truly understand your problem for tailoring an acceptable solution.

There are many reasons why an attorney tends to be an Enabler or a Gatekeeper and the role itself may switch depending on the issue at hand. That said, the primary reason is lack of confidence. This may be lack of confidence due to their own background (i.e. type of law they’ve practiced), the corporate climate (i.e. upcoming audit, recent breach, risk aversion strategy, etc.), or the lack of understanding of the goals, roles, and functions of security managers (i.e. what you do). Naturally, a prudent attorney will only offer advice on matters to which he or she has confidence in both the facts and law.

“An opinion is only worth the experience that supports it.”

Lawyers tend to be viewed as “legal vending machines.” Select your issue, ask your lawyer, and out comes the answer. Unfortunately, rare is the issue that is so black and white. The great majority of issues are best described as “shades of grey.” Simply pushing “A3” will not yield a suitable answer. Lawyers have varied backgrounds. In fact, there are currently 49 different board certified legal specializations encompassing a broad range of practice areas including everything from adoption law to wills.

Insider threat law

The security manager’s role is vastly different from other corporate roles in both scope and depth of potential legal issues. For example, the procurement department knows they will have contract issues. HR knows they will have employment issues. The security manager will deal with them all. To properly enable the security manager, attorneys require a unique skillset and expertise in something that I call “Insider Threat Law.”

Managing insider risk and implementing an insider threat program raises myriad privacy, regulatory compliance, operational liabilities, criminal and civil enforcement, and employment considerations. Each can have disastrous economic impacts on your business if not properly managed.

Insider threat law encompasses the following:

  • Compliance – insider threat program development, regulatory compliance
  • Intellectual property – asset protection, program development
  • Employment law – background checks, employment decisions, employment agreements, monitoring
  • Cybersecurity law – breach notification, incident response
  • Privacy law – collecting, processing, storing, and disseminating personal information
  • Criminal law – liaising with law enforcement, economic espionage, theft of trade secrets
  • Civil litigation – enforcing covenants, NDAs, obtaining injunctions

“A lawyer and a wagon wheel must both be well greased.”

– Sarte

Communicating with lawyers is a special skill and one that is often developed over several years of painful experiences, however, here are three quick and easy suggestions that should get you started on the right foot. Good luck!

1. It takes a village

Like most aspects of life and business, the relationships we build and maintain often determines the level of success that we enjoy. Invite your attorney(s) to your working group meetings, have coffee or lunch, and establish effective working relationships. Anything “security” tends to evoke emotions ranging from “major inconvenience” to “Big Brother,” so showing your attorney that you really aren’t out to spy on everyone will pay dividends later.

2. Educate. Educate. Educate.

This could be #1, but it’s tough to educate anyone without first establishing some type of relationship. As mentioned above, attorneys that are not confident in either facts or law will not be able to effectively enable your mission. Their job is to know the law; your job is to educate and provide them with the facts. Help them understand your mission, objectives, and procedures. Understanding leads to appreciation and appreciation will lead them to becoming your enabler.

3. Transparency. Transparency. Transparency.

There is no room for cloak and daggers when dealing with your attorneys. Not only will this lead to distrust and a most certain undesirable outcome for you, but there are real legal and compliance matters that will be uncomfortable at best if you find yourself on the wrong side. Educating your new best friend will foster transparency, but it also takes an affirmative approach to create the necessary oversight and feedback mechanisms. This can be a monthly audit report of investigations or a quarterly meeting to discuss program initiatives and issues. Open and transparent communication is the key.


Shawn M. Thompson is the founder and director of the Insider Threat Training Academy and founder and president of the Insider Threat Management Group, LLC, which provides strategic cyber security and insider risk management advisory services and training to the private sector. He possesses over 15 years’ investigating, prosecuting, and managing insider threats and cyber intrusions and is widely sought-after for his unique expertise.

Mr. Thompson is a former federal prosecutor and senior government official who held executive positions with several agencies including the DOJ, FBI, DoD and DNI. As a seasoned risk management professional, author, experienced prosecutor, credentialed Special Agent, and trained analyst, his cyber security acumen is second to none. He is a pioneer in the field of cyber security and insider risk management, serving as a frequent guest speaker and thought leader on a variety of security topics.

Mr. Thompson serves as a trusted advisor for the highest levels of government as well as private sector C-suite and Board of Directors alike. He is a member of the Maryland Bar.

The opinions expressed in this blog are those of Shawn M. Thompson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.