As the legal industryās reliance on technology grows, so does its vulnerability to security attacks. Accordingly, the pressure on legal departments to institute and maintain reliable security processes is also rising.
According to the Association of Corporate Counsel Foundationās 2018 āThe State of Cyber Security Report: An In-House Perspectiveā, two thirds of respondents said they expected the legal departmentās role in cybersecurity to increase in the next 12 months. This is a marked increase on the 2015 survey where only 55% expressed the same sentiment.
Itās a viewpoint backed by Lawcadia Corporate Counsel, Siska Lund.
āManagement is increasingly looking to us to assist with data protection and security risk managementā she says. āWeāre facing a growing responsibility to minimise damage to corporate reputation, loss of key data and the risk of legal and regulatory penalties.ā
āHowever,ā she adds, āmany in-house counsel may not feel prepared for thisā.
Having been uncertain about how to chart the proper compliance course when transitioning from an electricity distribution and energy management company to a cloud computing technology company five years ago, she understands that even seasoned in-house counsel may be experiencing similar uncertainty.
To effectively manage the rapidly changing world of cyber security, she suggests beginning with an acknowledgement that in-house counsel canāt effectively manage this kind of risk on their own.
āItās up to usā, she says, āto make it our business to understand how our organisations operate and identify who we can talk to within the organisation to help us better understand the data protection and security risk landscapeā.
āIn this respectā she adds, āstakeholder engagement skills are increasingly necessaryā.
Having successfully navigated the technology/risk tightrope, she has identified four key steps in-house and General Counsel can take to protect their organisation from unnecessary risk.
Proactively identify and manage risk
The first step, Lund says, is to champion the effort to map out the organisationās data risk landscape. This is particularly important when the organisation may not have a designated chief privacy or data security officer.
āIn these situationsā, she says, āit will be incumbent on the in-house counsel to step up and lead this initiativeā.
āThis will usually entail driving the organisation to answer questions like: What type of data and information do we manage and store? What data, if lost or stolen, would have a major impact? What best practices do we already have in place, and what systems are likely to be primary targets of risk? Itās only from undertaking this kind of enquiry that we can begin to gather the evidence and information we need to put together an effective corporate data protection programā.
This is but one example of the evolving role of the modern in-house counsel, she says.
āAs well as being the legal counsel for the organisation, we are increasingly seen as being enablers of business outcomes. As such, weāre expected to work with senior management and business units to contribute to strategic business decisions that impact the bottom lineā.
āEven though addressing the legal needs of the organisation is one of the key ways we add valueā, she says, āwe also oversee projects, including legal technology implementations and delivery of compliance programs and presentations where project management and communication skills are highly advantageousā.
This necessitates taking on a growing list of additional non-legal responsibilities like governance, privacy, risk and insurance.
Her advice for those new to the game is to include a strong framework of policies with built-in enforcement measures.
āTraining, and to an extent change management, are critical to program success and the driving of organisational awareness of what needs to be doneā she says.
To that end, she suggests that in-house counsel could also lead the development of a cyber incident response playbook.
āThis could set out in detail what should be done when a breach or other incident of high potential impact occurs. This helps everyone work in a coordinated and collaborative way when responding to the incidentā.
Get to grips with emerging technology
Our increasing dependence on computers, the outsourcing of information technology functions and the growing value of data have all increased businessesā vulnerability to data breaches and cyber security issues.
To counter-balance this, Lund advises that in-house counsel take an interest in how technology is being developed by and/or otherwise deployed in their organisations.
āNot only that, we also need to focus on how technology can be better utilised within the legal team to ensure we keep up with best practice and streamline our workflows for cyber security and privacy mattersā, she says.
Thankfully, there are some great tools, apps and platforms out there that in-house legal teams can use to increase their risk management efficiency.
One of the key areas where Lund has seen technology assist in-house legal teams is the ability to collect relevant data and consolidate it in a secure online repository.
āThis functionalityā, she says, āensures in-house teams have access to accurate data quickly. They can also automate workflow processes which, in turn, can increase collaboration with other stakeholders, help quickly identify and control risk and proactively track and report on riskā.
Nurture ongoing stakeholder relationships
By fostering a collaborative approach to the introduction of new technology, the chances of successful uptake are significantly increased.
According to Lund, when internal and external stakeholders are included in the design of security, risk and governance policies and procedures, theyāre more likely to be practical, reliable and robust.
āResponding to cyber security effectively requires a multi-disciplinary approachā, she says.
āItās important to consult and/or work closely with data security and IT professionals within your organisation when developing a data protection program. It may also be useful to establish contacts with relevant IT forensic investigation specialists and crisis and reputation management services, should the need ariseā.
Stay ahead of the curve
By nurturing a personal interest in cybersecurity and emerging technology, GCs and in-house counsel can seize the initiative and lead transformation and knowledge growth from within.
This is a tactic that has served Lund well.
As she says, āThereās never a dull moment being an in-house counsel and no two roles are the same. Each business is different, so each in-house counsel role is also different. It goes without saying that it definitely pays to stay on top of the latest legal developments that can impact your organisationā.
To assist with this, she says, āIāve done a lot of self-study, as well as attending seminars and additional external training to keep up to date. However, even then, I sometimes feel like I can never know enoughā.
Charting a secure path to the future
As technology increasingly impacts how businesses operate, cyber security will continue to be a key responsibility for corporate legal teams. However, by identifying and assessing the possible risks, exploring new technology and nurturing relationships with data security and IT professionals, your team can be ready to meet the challenge head on. With careful planning and commitment to ongoing oversight, the data security risk can be effectively mitigated.
This article was originally published in Edition 9 of Legal Business World on 21 November 2018