Cyber nightmare

There have been several recent instances of data breaches at multinational corporations affecting millions of consumers and stakeholders. In fact, one-third of in-house lawyers have experienced a corporate data breach and the most common reason cited was internal factors – employee error or an inside job, according to the ACC Foundation: The State of Cybersecurity Report released in December. In-house counsel in the Asia-Pacific region were more likely than those elsewhere to have weathered a data breach at their current company.

Around the world, top lawyers at corporations – general counsel (GCs) or chief legal officers (CLOs) – identify data protection as one of the top issues keeping them up at night. The report, which took the pulse of more than 1,000 corporate lawyers at 887 organizations in 30 countries, indicated that 23% of Asia-Pacific in-house lawyers have experienced a data breach at their current company.

[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”1″ ihc_mb_template=”2″ ]

Regardless of whether or not a GC or CLO experienced a data breach, the report found that damage to the company’s brand, loss of proprietary information, economic damage and government or regulatory action were their top four concerns related to data protection.

Though no two are alike, data breaches are now commonplace and ever-present. The number of people affected by a data breach intensifies the focus on how organizations – and government regulatory bodies – handle these situations.

Currently, a combination of laws and regulations lay the groundwork governing the control of data and the obligation to divulge information during data breaches. Asia, Europe and Latin America are among the countries that have enacted mandatory breach notification laws or amended existing privacy laws to address emerging cybersecurity issues and cross-border business operations. Within the US, 47 states, in addition to Washington DC, Puerto Rico, Guam and the Virgin Islands, have established differing standards for dealing with breaches of privacy, according to the National Conference of State Legislatures.

Specifically in the Asia-Pacific, the report found that corporate counsel most commonly followed International Standardization Organization (ISO) standards. Elsewhere, Indonesia and Singapore have created cyber agencies, while Japan has enacted the Cybersecurity Basic Act, to enhance intelligence co-operation.

Further, US President Barack Obama recently signed into law the Cybersecurity Information Sharing Act of 2015 (CISA), which encourages businesses and the US federal government to share cyber threat information in the interest of national security.

Aside from the chief intelligence officer, chief financial officer and other security and information technology professionals, the CLO is often at the centre of crisis response when a breach of privacy occurs at a company.

Assessing and helping to mitigate potential liability and reputational risks resulting from a data breach is paramount to corporate counsel across the globe. GCs and their teams navigate the intersection of business and legal challenges, and in today’s business environment, this increasingly means that the corporate law department is active in cybersecurity strategy, prevention and response.

Thus, the aforementioned legislation and other cybersecurity activity remain top-of-mind for corporate counsel, especially as they relate to liability, reputational harm and internal risks (i.e., breaches in protocol for employees’ access to sensitive or confidential information).

Some 56% of respondents to the report noted that their company is allocating more money to cybersecurity, compared to 2014, and 23% stated that their legal department spend has risen as a result of company focus on this issue. Notably, half of all GCs and CLOs stated their company has cybersecurity insurance, with 68% having coverage valued at around US$1 million or more.

Thus, in-house counsel are cognizant of the benefits of developing new resources around rules governing the privacy arena, especially as companies expand cross-border business operations. The board of directors wants to be sure that executive teams have this well in hand to safeguard many facets of the corporation and thwart any major costs associated with a cyber attack.

Clear communication to the C-suite and board of directors in the event of a data breach is a high priority for in-house lawyers, as they serve in dual roles as business advisers and legal counsellors to these stakeholders.

In addition, cybersecurity is not merely an information technology issue. It is an enterprise-wide issue. The movement away from simple awareness toward behavioural change will better direct business leaders operating in various functions throughout a company. This mentality is particularly critical for the CEO, GC or CLO who may be responsible for answering questions posed by the board of directors.

In-house counsel in large law departments – and those in the Asia-Pacific region – were more likely to anticipate their department’s role in cybersecurity to increase over the coming year, noted the report. Overall, 50% of GCs and CLOs want to heighten their role and responsibilities when it comes to cybersecurity.

And this also involves identifying outside support that will need to be tapped to help fend off any potential threats related to breaches of privacy. Just 22% of in-house counsel are very confident that their outside service providers are managing the security of client data, so additional focus by in-house counsel appears warranted.

Awareness and training are vital to diminishing common avenues for a cyber attack. Transparency may be a regulatory requirement based on the data comprised, making it important to align internal protocols with regulatory standards. The report found that 31% of respondents overall were required to notify a regulatory agency upon becoming the target of a cyber attack, compared with 50% in Canada and 28% in Asia-Pacific.

Ultimately, proactively examining areas of potential vulnerability may lower the amount of risk post-breach, as well as lessen the avenues through which breaches can occur. This also helps support critical functions and the ability to prioritize efforts across the company. All of these actions can play a role in creating behavioural changes within an organization as it relates to cybersecurity measures, where a culture of ongoing vigilance and preparedness may be the best prophylactic.

With so many moving parts, the growing sophistication and nature of data security has moved out of the IT realm and become a true issue of corporate leadership, especially as it impacts both the corporate bottom line and corporate reputations. By taking the lead on creating a culture of compliance and setting the right tone, in-house counsel are well positioned to convey confidence and control over the situation when it entails data security challenges and related liability issues.

[/ihc-hide-content]

Veta T. Richardson is president and CEO of the Association of Corporate Counsel (ACC), a global bar association representing more than 40,000 in-house counsel employed by over 10,000 organizations in 85 countries