A global concern is a regional priority requiring corporate counsel to be on top of their brief, writes Veta Richardson
There have been several recent instances of data breaches at multinational corporations affecting millions of consumers and stakeholders. In fact, one-third of in-house lawyers have experienced a corporate data breach and the most common reason cited was internal factors – employee error or an inside job, according to the ACC Foundation: The State of Cybersecurity Report released recently. In-house counsel in the Asia-Pacific region were more likely than those elsewhere to have experienced a data breach at their current company.
Around the world, top lawyers at corporations – general counsel (GCs) or chief legal officers (CLOs) – identify data protection as one of the top issues keeping them up at night. The report, which took the pulse of more than 1,000 corporate lawyers at 887 organizations in 30 countries, indicated that 23% of Asia-Pacific in-house lawyers have experienced a data breach at their current company.
Regardless of whether or not a GC or CLO experienced a data breach, the report found that damage to the company’s brand, loss of proprietary information, economic damage and government or regulatory action were their top four concerns related to data protection.
Though no two are alike, data breaches are now commonplace and ever-present. The number of people affected by a data breach intensifies the focus on how organizations – and government regulatory bodies – handle these situations.
Currently, a combination of laws and regulations lay the groundwork governing the control of data and the obligation to divulge information during data breaches. Asia, Europe and Latin America are among the countries that have enacted mandatory breach notification laws or amended existing privacy laws to address cybersecurity issues and cross-border business operations. In the US, 47 states, in addition to Washington DC, Puerto Rico, Guam and the Virgin Islands, have established differing standards for dealing with privacy breaches, according to the National Conference of State Legislatures.
In the Asia-Pacific, the report found that corporate counsel most commonly followed International Standardization Organization (ISO) standards. Elsewhere, Indonesia and Singapore have created cyber agencies, while Japan has enacted the Cybersecurity Basic Act, to enhance intelligence co-operation.
Further, US President Barack Obama recently signed into law the Cybersecurity Information Sharing Act of 2015 (CISA), which encourages businesses and the US government to share cyber threat information in the interest of national security.
Apart from the chief intelligence officer, chief financial officer and other security and information technology professionals, the CLO is often at the centre of crisis response when a breach of privacy occurs at a company.
Assessing and helping to mitigate potential liability and reputational risks resulting from a data breach is paramount to corporate counsel across the globe. GCs and their teams navigate the intersection of business and legal challenges, and in today’s business environment, this increasingly means that the corporate law department is active in cybersecurity strategy, prevention and response.
Thus, the above-mentioned legislation and other cybersecurity activity remain top-of-mind for corporate counsel, especially as they relate to liability, reputational harm and internal risks (i.e., breaches in protocol for employees’ access to sensitive or confidential information).
Some 56% of respondents to the report noted that their company is allocating more money to cybersecurity, compared to 2014, and 23% stated that their legal department spend has risen as a result of company focus on this issue. Half of all GCs and CLOs stated that their company has cybersecurity insurance, with 68% having coverage valued at about US$1 million or more.