Taking a leadership role on data security, risk and governance
As the legal industry’s reliance on technology grows, so does its vulnerability to security attacks. Accordingly, the pressure on legal departments to institute and maintain reliable security processes is also rising.
According to the Association of Corporate Counsel Foundation’s 2018 ‘The State of Cyber Security Report: An In-House Perspective’, two thirds of respondents said they expected the legal department’s role in cybersecurity to increase in the next 12 months. This is a marked increase on the 2015 survey where only 55% expressed the same sentiment.
It’s a viewpoint backed by Lawcadia Corporate Counsel, Siska Lund.
“Management is increasingly looking to us to assist with data protection and security risk management” she says. “We’re facing a growing responsibility to minimise damage to corporate reputation, loss of key data and the risk of legal and regulatory penalties.”
“However,” she adds, “many in-house counsel may not feel prepared for this”.
Having been uncertain about how to chart the proper compliance course when transitioning from an electricity distribution and energy management company to a cloud computing technology company five years ago, she understands that even seasoned in-house counsel may be experiencing similar uncertainty.
To effectively manage the rapidly changing world of cyber security, she suggests beginning with an acknowledgement that in-house counsel can’t effectively manage this kind of risk on their own.
“It’s up to us”, she says, “to make it our business to understand how our organisations operate and identify who we can talk to within the organisation to help us better understand the data protection and security risk landscape”.
“In this respect” she adds, “stakeholder engagement skills are increasingly necessary”.
Having successfully navigated the technology/risk tightrope, she has identified four key steps in-house and General Counsel can take to protect their organisation from unnecessary risk.
Proactively identify and manage risk
The first step, Lund says, is to champion the effort to map out the organisation’s data risk landscape. This is particularly important when the organisation may not have a designated chief privacy or data security officer.
“In these situations”, she says, “it will be incumbent on the in-house counsel to step up
and lead this initiative”.
“This will usually entail driving the organisation to answer questions like: What type of data and information do we manage and store? What data, if lost or stolen, would have a major impact? What best practices do we already have in place, and what systems are likely to be primary targets of risk? It’s only from undertaking this kind of enquiry that we can begin to gather the evidence and information we need to put together an effective corporate data protection program”.
This is but one example of the evolving role of the modern in-house counsel, she says.
“As well as being the legal counsel for the organisation, we are increasingly seen as being enablers of business outcomes. As such, we’re expected to work with senior management and business units to contribute to strategic business decisions that impact the bottom line”.
“Even though addressing the legal needs of the organisation is one of the key ways we add value”, she says, “we also oversee projects, including legal technology implementations and delivery of compliance programs and presentations where project management and communication skills are highly advantageous”.
This necessitates taking on a growing list of additional non-legal responsibilities like governance, privacy, risk and insurance.
Her advice for those new to the game is to include a strong framework of policies with built-in enforcement measures. “Training, and to an extent change management, are critical to program success and the driving of organisational awareness of what needs to be done” she says.
To that end, she suggests that in-house counsel could also lead the development of a cyber incident response playbook.
“This could set out in detail what should be done when a breach or other incident of high potential impact occurs. This helps everyone work in a coordinated and collaborative way when responding to the incident”.
Get to grips with emerging technology
Our increasing dependence on computers, the outsourcing of information technology functions and the growing value of data have all increased businesses’ vulnerability to data breaches and cyber security issues.
To counter-balance this, Lund advises that in-house counsel take an interest in how technology is being developed by and/or otherwise deployed in their organisations.
“Not only that, we also need to focus on how technology can be better utilised within the legal team to ensure we keep up with best practice and streamline our workflows for cyber security and privacy matters”, she says.
Thankfully, there are some great tools, apps and platforms out there that in-house legal teams can use to increase their risk management efficiency.
One of the key areas where Lund has seen technology assist in-house legal teams is the ability to collect relevant data and consolidate it in a secure online repository.
“This functionality”, she says, “ensures in-house teams have access to accurate data quickly. They can also automate workflow processes which, in turn, can increase collaboration with other stakeholders, help quickly identify and control risk and proactively track and report on risk”.
Nurture ongoing stakeholder relationships
By fostering a collaborative approach to the introduction of new technology, the chances of successful uptake are significantly increased.
According to Lund, when internal and external stakeholders are included in the design of security, risk and governance policies and procedures, they’re more likely to be practical, reliable and robust.
“Responding to cyber security effectively requires a multi-disciplinary approach”, she says.
“It’s important to consult and/or work closely with data security and IT professionals within your organisation when developing a data protection program. It may also be useful to establish contacts with relevant IT forensic investigation specialists and crisis and reputation management services, should the need arise”.
Stay ahead of the curve
By nurturing a personal interest in cybersecurity and emerging technology, GCs and in-house counsel can seize the initiative and lead transformation and knowledge growth from within.
This is a tactic that has served Lund well. As she says, “There’s never a dull moment being an in-house counsel and no two roles are the same. Each business is different, so each in-house counsel role is also different. It goes without saying that it definitely pays to stay on top of the latest legal developments that can impact your organisation”.
To assist with this, she says, “I’ve done a lot of self-study, as well as attending seminars and additional external training to keep up to date. However, even then, I sometimes feel like I can never know enough”.
Charting a secure path to the future
As technology increasingly impacts how businesses operate, cyber security will continue to be a key responsibility for corporate legal teams. However, by identifying and assessing the possible risks, exploring new technology and nurturing relationships with data security and IT professionals, your team can be ready to meet the challenge head on. With careful planning and commitment to ongoing oversight, the data security risk can be effectively mitigated.
About the Author
Shauna Maguire is the Marketing Manager at Australian legal technology company Lawcadia. A former lawyer, she worked in criminal and policy law at the State, Federal and international level before transitioning into marketing and communications.
About the Contributor
Siska Lund is the General Counsel for Australian legal technology company Lawcadia and has over 10 years commercial legal experience in private practice and in-house legal teams. She’s also currently an Assistant Professor at Bond University.