While contending with the pandemic, businesses are also facing increased cybersecurity and data privacy threats. In partnership with PJS Law, Asia Business Law Journal hosted a virtual roundtable of senior in-house counsel to find solutions to these challenges
Click here to watch the full-length video
Most businesses, governments and regulators were trying to find a way around dealing with cybersecurity issues and data privacy in the normal course of life, and then we were confronted with the onset of covid-19 and the additional data privacy problems that it brings us.
Data shows that there has been a rise in covid-19-related phishing and ransomware attacks, increased delays in cyberattack detection, and a slow response from IT teams, which have been spread thinner because of work-from-home restrictions.
Remote working brings its own set of challenges, but there have been positives, too – the pandemic has forced the hand of businesses to take a stronger view and an improved position on dealing with cybersecurity issues.
It’s in this context that Asia Business Law Journal’s virtual roundtable assumes significance. We brought together an expert panel to discuss these challenges, all of them senior in-house legal practitioners from a variety of industries and from across jurisdictions.
On the panel are: Chae Jooyup from South Korea, who is the vice president and general counsel for SK Biopharmaceuticals and Life Sciences; Sarita Misir, senior vice president, global legal, Fullerton Health in Singapore; Vincent Ng, general counsel for Hong Kong-based online travel company Klook; Sandra Wu, the president and chairperson of the Association of Corporate Counsel Hong Kong; and Rachelle Diaz, a partner at PJS Law in the Philippines.
Asia Business Law Journal: What are the challenges in ensuring data privacy within businesses as companies implement remote working, and perform transactions and ensure compliance remotely.
Chae Jooyup: So, it’s not exactly about data privacy, but it is a little related to cybersecurity, because when you work from home in Korea, Japan or Taiwan, to execute an agreement we need the corporate seal, not the signature. The corporate seal is stored by the company. So if you cannot go to the company, you cannot use the seal.
What we did for that was we implemented digital signatures. We scanned the corporate seal and then shared it with very limited numbers of employees who really need to execute agreements, so they could execute the agreement by using a digital signature. This was the example we implemented with regard to covid-19.
Sandra Wu: I think the first question that we all initially asked ourselves as general counsel of the companies we represent is, how safe are your data and security? What I mean by that, are your data and security housed in a castle with a moat, or housed in a straw hut? How vulnerable are you and your systems now?
Covid-19, obviously, in Hong Kong has impacted us in three waves now. So, you see more and more people working from home. I believe this trend will continue to grow. I don’t think it will reverse at any stage. And, unfortunately, our homes are not as secure as the fortresses that we may have built in the offices with respect to IT systems. So, with working from home, it means you don’t have 24/7 access to your security team to call on for your day-to-day issues, but also the attacks that you may have.
[Regarding] the denial of service attacks and the phishing emails you may have, the tech teams are also stretched with the inefficiencies of working from home. What I’ve seen with GCs of businesses in our community, they are mostly operating in the financial services space – banking, healthcare, and in particular, all these sectors have regulatory obligations that they need to meet.
Now, the Securities and Futures Commission (SFC) in Hong Kong really did their part in issuing a circular on 29 April, which details exact protocols, operational capabilities, how we should manage these cybersecurity risks with remote working. It was a very detailed circular. And so the key risks that were identified in that circular related to accessing internal networks remotely – how to set up your VPN, what you should be doing, should you be having multiple VPNs, simple things like ensuring that each of your employees has two-factor authentication (2FA) now.
To a lot of people 2FA was a very peculiar code. No one knew what 2FA was, unless you had been hacked before, or you have really robust systems. So, 2FA is something for remote access login that is now enforced across the board for these entities that are operating in the regulated space, and also implementing security controls, such as only allowing admin access to prevent any unauthorized installation of hardware and software.
These are things that now you are constantly thinking about – do you allow all your employees to have access, or is it restricted access? And with the concept of video conferencing, which we’re currently doing now, and I’m sure you’re doing 10 a day at least. A lot of firms were forced to do a formal assessment of the security features of the different ones that were available. Is Zoom a better option than Google meet? Is that better than other offerings out there? How do you assess that risk as well? So, these are things that the SFC has really gotten ahead of the curve with in advising and disseminating this information to a lot of the organizations we have in Hong Kong. I’m very proud to say Hong Kong really got ahead of the curve.
Sarita Misir: My experience has really been, you know, a lot of the privacy-related and cybersecurity issues are not specific to covid-19. I think what the pandemic has actually done is just bring it to the forefront because people are working from home there’s a lot of remote access required. I think a lot of the hygiene practices should have been implemented in any event.
For example, for us in Fullerton Health, we have a dedicated CSO [chief security officer]. What we have done even before covid-19 was implement the best practices the CSO had come up with, basically having 2FA when logging into our work emails or any kind of work-related kind of software that you need to use. Also, things like putting in a special kind of email quarantine service. So at least some of the more common phishing emails will be caught already before it even lands in your inbox. Because I think, you know, at the end of the day, whatever kind of software or technology that you use, it is really the human factor that is the weakest link in almost all cases, whether it’s a data breach or a cybersecurity breach. So part of the employee education was we have e-learning modules that all employees have to go through.
It is not just your hardware or your software; where you have 2FA, only using company-issued laptops, not your own personal devices; if you have access to sensitive databases in the office you have to use a VPN. So it goes through additional layer versus using home Wi-Fi. And of course, if you go to Starbucks, you know, any public Wi-Fi, I don’t have access at all.
The way that I see it is really almost a tripartite or triangular way of looking at things. You have your hardware protections, you have your software and then you also have the employee. The human factor also has to be taken into account. So really, in terms of the challenges that we face, I think it’s not really specific to covid-19. It should be done across the board, with or without covid-19. It is just that the pandemic has maybe brought some of the questions or issues to the forefront of people’s minds.
But IT departments are now really thinking about when people are working from home, what are the kind of protections we need. Previously some of the hardware and software factors were a bit more at the forefront because people were in the office. So, this additional layer of protection is not really there and accessing office networks of things, but now with working from home, maybe you have to think a bit more.
ABLJ: Vincent runs an online business and is probably the most in the thick of things. What has been your experience, how prepared were you to deal with some of the challenges and what have been the major changes?
Vincent Ng: I think I would echo quite a few points that Sarita has mentioned. We were actually all set up to work remotely. So, covid-19 or not, we are actually quite used to working from home, working from remote locations. I personally run a team of 15 people, some of whom I’ve actually never met in person. So we are just like joking about how we work together is like pen pals.
Well, partly because of covid-19, we had planned a legal offsite conference globally for everyone to be in a single occasion, but then because of covid-19 we couldn’t do it. And now we are actually moving the legal offsite online to do a virtual one as well. So, yeah, we’ve always been set up to run things this way, but what covid-19 has done is really expedited some of the urge for us to look at security issues and to focus on how to make sure that they are properly attended to.
One big part of it is education. There are obviously very technical parts like securing our data, especially for an online company like us. We have a team of security experts who conduct penetration testing and work on our cloud architecture, safety and the security and all that.
But on the other hand, I recently read a report that says that as much as 25% of data breaches are still caused by human error. So some of the data breaches, security incidents, are caused by malicious attacks, but a lot of them are still down to human error and attributable to employees. So how do we protect against that?
In our company, the legal team actually plays a very big part in that. And I personally co-sponsor the security taskforce with our chief technology officer. One of the things that we do is provide regular training to all the senior staff of the company so that they can cascade it down to their respective teams. Our security team conducts quite a few email phishing exercises every other month.
So they report to the entire company on which teams are doing the worst. Clicking a fake Starbucks voucher on a phishing email, and all that, just to remind people of the importance of paying attention to these emails. So, all these things put together are the things that we’ve been doing since covid-19 hit. And again, these are not things that are specific to covid-19.
ABLJ: Rachelle, as an external counsel, have you seen a spike in your clients coming to you with more complaints, or have things changed for you in any way?
Rachelle Diaz: Not so much complaints. And it’s funny because, as you mentioned, I handle both data privacy and competition here in the Philippines, which are both emerging practices under our jurisdiction. And considering the effects of covid-19, we have been seeing a spike in questions relating to data privacy and, you know, working from home, put to the forefront of the challenges. Even in my case, in our firm, we’ve had a work-from-home policy, although on a smaller scale, once or twice a week is allowed for most of our lawyers.
But then when covid-19 hit, it has blown up into an entirely new scale. So challenges in terms of working from home are not new, and there’s a reason why working from home has not become a practical approach to conducting a business, and it’s taken a pandemic to actually allow people to work from home.
So, in terms of challenges, we have seen clients with these various concerns regarding data protection. As Sandra mentioned, cybersecurity is definitely at the forefront. But from a legal perspective, of course, IT is something IT should handle. From a legal perspective, compliance in terms of how certain arrangements that employers want to put in place to ensure that both their employees’ data as well as their clients, they remain secure.
Those are questions that have been raised for us in terms of whether those arrangements and employers and organizations can be very creative in terms of how security can be implemented under a work-from-home arrangement. Just recently, for example, we had a client approach us, it’s working within the finance industry, and one of the concerns that they have is the ability of their employees who would be working from home – to actually do screen captures of the data that they are processing from home. So what they want to start implementing is basically software.
There is a lot of software now available, or applications available, where employers are allowed to monitor their employees in the work from home environment. So, in terms of perspective, it does work two ways, both from the perspective of the employer to manage the employee data, as well as, of course, the ability of the client to ensure that data remain secure as well.
A lot of challenges arise, and the most practical step really is to have your cybersecurity team ready and available to ensure that any breaches or hacks are addressed properly. And of course, human error is something that needs to be properly addressed. It cannot be taken for granted in all of this.
ABLJ: With respect to negotiations, due diligence and contract drafting, we all agree that working from home is the new normal and most jurisdictions are going to end up with a lot of people working from home. How do you prepare yourself as a multinational business to deal with these eventualities?
Chae: I think there are two measures for maintaining confidentiality or security. The first is preventative measures. For example, in my laptop, all the files are encrypted automatically. I cannot download any file from my laptop to an external storage. To download files to storage we need to get some special permission and justification.
The second measure is definitely monitoring. So, for example, I had two incidents of data leakage in some companies. So even if we have all preventive measures, there are some loopholes. The robust monitoring of older cyber activities is crucial to keep the data secure. Frankly speaking, everything you do with your company computer is being monitored or being watched by someone else. Basically, these two measures are the key factors for keeping the confidentiality of the data.
After I joined this company, there was an IPO of the company. So, there were lots of meetings in relation to investor relations or explaining our companies, and then all because of covid-19 we could not have any face-to-face meetings, offline meetings with investors. All the meetings were done virtually, so cybersecurity was very important.
The first thing we do is get some kind of letter or agreement from the participants that they will keep the confidentiality of the meetings, so nothing in the meeting will be disclosed without prior consent of the other party. That kind of agreement, or a confirmation letter, is the first step. And then there is some policy about recording, so there are some technologies to prevent recording of virtual meetings. If the meeting is really important, we use that kind of technology.
ABLJ: Sarita, you are a people-facing business operating clinics across jurisdictions. Is it very different for you? You must have your own set of challenges that are very different from the others here. What have been your experiences?
Misir: I think actually the baseline challenges would be very similar. Maybe the way I can explain this is in terms of three areas. The first one really is about a communication platform. We were always on teams because we use Office 365, so it’s just that now there are a lot of external things like the use of Zoom, right? When you have a bigger group, sometimes one has the kind of capabilities that maybe things might not be able to support.
For internal meetings, we have a policy that you keep it because it’s more secure with the Office 365 platform that Microsoft uses. And of course, external meetings we have to use Zoom, but we usually tend to avoid it as much as possible, Google meet and things like that, because it’s connected to your Gmail account. So, all it takes is a leak somewhere else and everything is kind of gone. Everything is kind of accessible.
With Microsoft, I guess the Office is the same thing, but having 2FA and all these things, at least there’s some kind of protection where it has to go through one by one, instead of just having one control point, or one access point for everything, like the Google version has.
What I’d like to do for Zoom, for example, is we’ve all heard that Zoom has a bit more of a cybersecurity risk. They are kind of working to fix it. But I think in the meantime, there are self-help kind of options that you can use. So, you can fiddle with some of the things that we have on Zoom. For example, all my meetings that I organize, I always use the waiting room function. So you can then decide as an organizer who you want to let in or not.
Obviously, there’re issues when you have a big meeting, 50 people waiting to enter, it is a logistical nightmare. But I think it’s worth having a few minutes of pain to get over a million-dollar breach. It’s important to be familiar, especially as counsel, you need to be familiar with what’s going on.
These are your organization’s documents, right? You should be the one being the gatekeeper, so I think it’s important not just to leave it to the other teams, or the external service providers, or even the lawyers to handle. I think it’s important to have a good understanding of how that happens.
The initial point that I raised about using Google. Right, because I know there are some smaller deals that people are fans of using Google Docs. And I mean, that’s also something where basically once your email is compromised, even if it’s a different personal email that you use to access something, even if it’s a separate leak just based on the email.
The thing about convenience and having one-stop access is also the fact that one-stop access is a one entry point access as well. And my third point in this triangle that I am a big fan of is really the use of electronic signatures at this stage. I think we’ve always used electronic signatures because I’m travelling and my directors are also always on the go. We’ve always had a certain policy or protocol in mind.
You have certain parameters in it about what is the kind of document where you can affix a digital signature, and what needs to wait until it can actually be signed. For example, there are certain parameters like sensitivity of the document, you know, even things like monitoring thresholds of the transaction, that you need to sign, even things like who is the custodian of the electronic signature.
ABLJ: Sandra, what’s been your experience? Contract drafting and court filings and all of that. Have you had any personal experience dealing with digital contracts, etc.?
Wu: Not so much in court filings, I’m not in the litigation space. However, with a lot of the M&A deals that we’re seeing, because we’re all working from home, everyone has restricted travel access. You see this overall result. And the risk that we’re facing is this data sprawl, where you have data everywhere across multiple devices, across multiple locations, across multiple jurisdictions. How do you gain control of that data again?
It’s almost impossible, you almost become a hacker’s dream target, but your cybersecurity team’s worst nightmare. So, things that we’ve implemented, say, within our team, for example, we just did a pre-IPO deal for a client. One of the LPs [limited partners] that were going into this pre-IPO round asked to see the term sheet of the lead investor.
Now, normally, what would happen in non-covid-19 days would be everyone will get into a room. You would physically show that term sheet of the lead investor, everyone sees it. There’s control over who’s taking a photo, who’s recording it, who’s writing things down. You’re able to set these controls physically.
In the cyber world, where security is so fluid, do I send it over WhatsApp? Do I send it over email? Do I send it over WeChat? What are the avenues where I could show this term sheet without anyone taking a copy, writing anything down, recording it. So, one thing that we found very helpful, and this is one application, is Signal. Now Signal is, I would say, a much-enhanced version of WhatsApp.
It’s better than SMS because you can control at which time, at a point in time, you can have that term sheet deleted. It allows you to set functions like five-seconds viewing, 10-seconds viewing, 30-seconds viewing, and up to a week. And you can have that message or sensitive document deleted within that timeframe. And if any recipient takes a photo of it, you are alerted straight away. So it’s about, I think if I can turn it around, it’s also about how to gain control of the data that you’re spreading and sending out there.
And I think for far too long, the legal tech team, the CTO, are always on the sidelines of board meetings. I really think they should be at the forefront and have a standing slot as an agenda item with all board meetings.
ABLJ: Rachelle, have you had some experiences with some of these interesting apps that are available?
Diaz: I don’t even remember the last time I conducted on-site due diligence, to be frank with you. So, for our generation at least, holding due diligence virtually saves us time and allows us to be more flexible in terms of how we conduct due diligence. It’s definitely useful.
It’s a useful tool for us. And we’re not unfamiliar with the different strategies that companies and our clients have in place to manage their data. And I think in terms of challenges, going back, it’s really human error that you need to be aware of, if only because you may have your application or your platform secure the availability of the data, and you have control over how the data can be accessed. But if, for example, your staff upload a confidential document unredacted and containing sensitive information, then you may be unaware that that information is leaking somewhere. So, it still is where you have these tools in place. It remains imperative for everyone to actually be familiar with the platform they are using.
ABLJ: As the tech company representative here, Vincent, what have been your experiences? Is there interesting technology that you’ve brought in?
Ng: What I’ve always shared with the legal team is that we want to make things easier for people to see, so that they can remember what they need to do and contribute to the security of the company. NDA (non-disclosure agreement) is actually one of the first agreements that we automated, using contract automation software. We try to make it easy for people to actually sign NDAs.
I think it is a combination of different things, the ease of execution of these, and also the fact that we keep educating people and remind them of the importance of security. For us, I think education, keep reminding people, and how we make things easier for people to comply is the key to how we achieve security within the company.
Misir: One thing that we are considering right now is really using AI legal budgeting. I think general counsel on this panel can easily say that the work-from-home era, because of the pandemic, has actually resulted in a lot more work than we used to have, especially across different time zones. So, what I’m considering right now is moving away from automation but moving into the end result when the bills come in.
I think managing legal spend is probably one area that I’m quite closely looking at in terms of seeing if I can put in some kind of AI technology, or some kind of automated platform to make sure that billing guidelines that we have are adhered to, and I don’t have to review, and that a certain billing rate as agreed is kept to once the invoice comes in.
So a platform or a kind of software that provides that kind of ease, where it cuts a little of my time being spent on the admin work, you know, and hopefully saves even 10 minutes of my day, that I can do something else. So I think it’s a matter of maybe the evolution really of using AI and using software for legal tech. We started with contract creation, and now it’s really about almost end-stage, the work is already done, how do you deal with that to make our life as general counsel easier. And then we can focus on the really strategic things, which is why organisations need you, more for that than looking at bills.
ABLJ: Sandra, how do you think automation legal technology is affecting legal teams?
Wu: This is a really good question and one that we get asked to speak on multiple times during the year. I believe the future of legal tech is more than just automation. I actually believe it’s about transformation. Transformation of the lawyer, transformation of the legal team, transformation of the legal resources that you’re currently using.
Obviously, the time-sensitive, the manual repetitive tasks can totally be taken away with automation. But what’s more interesting is the transformation of the lawyer. What does a future lawyer look like? What skills would they need to have? I see it as a positive thing. A lot of people freak out in our industry thinking, ‘oh, my job’s going to be obsolete in two, three, five years’ time.’
I don’t think that’s true. I actually think the role of a lawyer, the role of the GC, actually becomes so different to what we’re doing. It’s going to be all encompassing. We’re going to have to know a bit about everything, about tech, about obviously legal compliance, but also operationally how all things fit together.
Chae: We need to admit that legal technology will change lots of things. For example, contract drafting or legal research, at the end of the day, will be replaced by the AI. It is almost inevitable. Well, a lawyers’ job is not limited to those kinds of things. Frankly speaking, those changes will affect external counsel more, because basic contract drafting or legal research can be relatively easily replaced by AI.
But for junior positions, there can be more threats. This shows that we need to prepare for the future. And then, what kind of skills that we need to be prepared for the changes in our legal society by technology.
Diaz: I love the point that was raised by Jooyup, and of course, Sandra. It gets me excited, actually, talking about automation and artificial intelligence in the legal space. And I’ve read so many articles about this, and they’ve consistently made the point that there is a natural resistance, particularly in terms of law firms and how external counsel practice, if only because the practice of law, in its essence, can be very traditional and is rooted in culture and rooted in norms.
That’s how we lawyers were trained. We’ve been trained to become critical of nuances and disagreements. But notwithstanding this, I don’t think that being traditional and being trained to be critical is a deterrent to adapting to change. Sandra raised the point of the transformation of the lawyer, and that really gets me psyched and excited.
But it really affects the way we work as lawyers, as external concerns. And I appreciate the system or the facility by which automation, and eventually, hopefully, artificial intelligence, will be able to assist us in managing our time and in managing our work. Right now, we have so many deals going on and there’s so much work that needs to be done.
The world is becoming a smaller and smaller space. And there’s so many transactions and there’s so much experience out there that you need to be involved in to build a more robust practice. And I think automation and legal, and artificial intelligence, is something that should be embraced and it should be appreciated for the opportunities that it presents.
Vanquishing viral enemies