By Adv. Edo Bar-Gil
The role of GC’s (General Counsels) and CLO’s (Chief Legal Officers) has significantly changed in the past years and includes not only the “traditional” Legal advice and GRC (Governance, Risk and Compliance) - but also the entire aspects of Legal Operations (including budgeting, strategic planning and legal tech).
Cybersecurity and data privacy are practically everywhere. They are a growing concern for all organizations and not only that they are not going away any time soon, but they increase day by day, and many legislative efforts around the world aim to protect data privacy and security.
It is not surprising to see that in a survey done by Bloomberg CLO’s named cybersecurity, regulation and compliance, and data privacy as the three most important issues.
This article suggests that it is time to make a change. GC’s and CLO’s can no longer take a “reactive approach” with respect to such issues. They need to be more knowledgeable about potential cyber security threats and data privacy issues, more proactive and active in designing the organization’s programs and strategy with respect to such issues, and an active contributor to bringing their legal perspective and advice.
How should they do that? By applying the four Legal Operations pillars key principles, mutates mutandis:
Vendor Management - Enforcement of cyber security requirements on legal services service providers / consultants
Data Management and Retention (& Legal Tech) - Taking into consideration the cyber security and data privacy as part of all (legal) processes
Communications - Cooperating with the organization’s different stakeholders, and especially the CISO, for creation of a cyber security strategy and design
Strategic and Process Planning - Taking part of building cyber security and data privacy program / strategy, including crisis management
Enforcement of cyber security requirements on legal services service providers
It is a well-known fact that until recent time and even these days, outside legal consultants or law firms are chosen by the GC’s or the CLO’s “under the radar”, in the sense that they are not requested to comply with the organization’s service providers “onboarding process”, including cyber security and data privacy requirements.
The reasons for that are various, however the main reason is that outside legal counsels / law firms are considered as a “legal-partner” more than a “service provider”.
On the one hand, this is the right way to see and treat them, as they deal with the most confidential and sensitive issues. However - on the other hand - they are not subject to compliance with crucial requirements necessary for the organization’s security and data privacy, even though they deal with the most sensitive issues.
Therefore, it is not surprising to see that many outside legal consultants / law firms do not even have their own cyber security program or strategy and security measurements. This routine should be changed immediately.
Taking into consideration cyber security and data privacy as part of the (legal) processes
Organizations straggle to include the legal departments in almost every process of the organization’s day to day activity. The author of this article is personally involved these days in three projects dealing with redesign of such processes, including making sure that the legal and privacy teams are aware of new products and assist in their design.
While in the past two years, the necessity of involving the privacy team or consultants in an organization’s processes has become a well-known fact, it hasn’t been like that with respect to the cyber security team or consultants.
The reasons for that are various and include, among others, the fear of making the processes even more burdensome, creating new bottlenecks and the fact that only small part of the organizations have internal cyber security teams.
Needless to say, this routine should be changed immediately too. It is enough to see the potential damage of cyber security attacks on organizations all over the world, including the fact that in some cases it literally means “death sentence” to an organization.
Cooperating with the organization’s different stakeholders - especially the CISO
The CISO and its team are protecting the organization and performing a crucial and complex function. Not only that they prepare for (un)known threats, but they also build, maintain, and support resilient systems, technologies, policies and procedures for the entire organization.
They also need to plan ahead for resistance to and recovery from potential attacks.
The legal department serves a similar role. The legal department measures risks and threats – both internal and external – and guides the organization. It also builds, maintains, and supports a protective and resilient risk-resistant / mitigation policies, procedures, and agreements for the entire organization. In addition, it plans ahead to avoid litigation and regulatory investigations and recovery from such events.
Accordingly, it is inevitable for these two functions to cooperate. By doing so, not only that they will benefit, but also the entire organization will benefit in how to conduct business in a dangerous and fast-changing world.
Taking part of building cyber security and data privacy program and strategy
In light of the above, there shouldn’t be a doubt that there is a necessity for the GC’s and the CLO’s to take part in designing and building the organization’s cyber security and data privacy programs and strategy.
While the cyber security and privacy teams should take the lead and make the decisions on professional issues, the legal team should provide its input on the legal aspects and potential risks. Such cooperation is also crucial in building incident / cyber-attack response program and strategy, as these issues also have legal impacts.
Summary - there is no doubt that GC’s / CLO’s and cyber security / privacy teams should cooperate. The entire organization and each of these teams will benefit from it. Sometimes, it is easier said than be done. However, by applying the Legal Operations key principles, such cooperation may be seamless (and even enjoying).
About the Author
Adv. Edo Bar-Gil is the founder and CEO of LawFlex Designed Solutions (https://www.lawflexds.co.il/), an international company specializing in the provision of Digital Transformation Services, Legal Operations, Legal Tech and Legal Innovation. Prior to this, Edo was the General Counsel of a few leading companies and worked as an associate in major Israeli law firms.