With the proliferation of technology and increased use of tablet and mobile devices, the growing concerns over cybersecurity and privacy means corporate general counsel are undertaking more compliance-related work and providing clients with advice on specialised privacy issues. As a result, the role of corporate general counsel has evolved to include core security, risk, compliance and privacy responsibilities.
While maintaining a robust grip on the traditional functions of the law, a recent survey released by TerraLex, The General Counsel Excellence Report 2015, revealed the role of corporate general counsel is now increasingly concerned with regulation and compliance, as well as data privacy and related cybersecurity issues. Surveying over 150 firms in 100 different countries, the survey showed that the responsibilities of general counsel have now expanded to include director, risk manager and advisor, as well as undertaking regulatory compliance responsibilities and the leadership of legal departments.
Implementing legal measures to tackle cybersecurity threats
According to the Australian Privacy Principles, an organisation is required to take reasonable steps to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be a breach of APP 11. This means both an organisation’s general corporate counsel and information security team have crucial roles to play in tackling cybersecurity and data privacy.
Rapid technology changes and the need to keep up
While the information security team has the responsibility for implementing the technical logistics of data protection, legal counsel plays an integral role in the regular review of information security measures, particularly given how frequently organisations change their technical processes, information, personnel, applications and general infrastructure.
Cybersecurity and privacy risks are further escalated by constant shifts in technology as new concepts are developed and, at the same time, new problems arise.
While technology continues to serve as a vital asset to organisations globally, it also means lawyers have to be increasingly vigilant to the ever-changing landscape of potential risks. This means the role of corporate general counsel is not just to assess internal processes for compliance, but also extends to regularly monitoring the operation and effectiveness of the steps and strategies the organisation has taken to protect personal information.
App development and increased global privacy risk
Privacy and data-management issues have been polemic topics of regulatory debate for some time now, especially post-GFC where the global implications forced lawyers to become more vigilant about cross-border data control, collection and disclosure. However, the rise in big data, popularity of apps that collect personal information and cloud-based software have opened up a whole new wave of risk and security issues.
According to the 2014 Global Privacy Enforcement Network report, 85 per cent of surveyed apps failed to provide clear information on how the apps collect, process and disclose user data. This means that corporate general counsel needs to be more proactive than ever in ensuring its organisations build strict, relevant and timely privacy compliance measures into their processes and their culture. Counsel needs to ensure organisations are not only privacy conscious from inception, but play an integral part in planning for and responding to any type of data breach.
Given the global nature of today’s data collection, the pressure is also on corporate general counsel to respond to any international compliance issues. Laws and regulations relating to data, privacy and security vary significantly between countries such as the US, UK, Germany and France, and the regulatory landscape is constantly changing. Corporate general counsel is now expected to not only create and enforce a culture of personal information security within an organisation, but understand the domestic and international implications of data risk management.
Minimising financial and reputational risk
The financial and reputational costs of a breach of information security for any organisation can be significant. The Ponemon Institute’s 2014 Cost of Data Breach: Australia found that the average cost of a data breach experienced by 22 Australian companies in 2013 was $2.8 million.
A publicised breach of information security can have even more devastating consequences on a company’s reputation and ability to maintain customer trust and loyalty. Ponemon’s report found that, on average, reputational losses and increased customer turnover constitute 28 per cent of the cost of a breach.
Ultimately, the risks are high. Privacy laws vary across borders, are interpreted unpredictably and are in a constant state of flux. Even the most vigilant, conscientious company can make a small error as it captures, uses, transfers and discloses personal information, but the consequences can be serious and even devastating. This means information security measures need to be a top priority instilled within any organisation, and corporate general counsel has an increasingly important role to play in that battle.