2018 provided further evidence that no company, no matter how big or small or where it is headquartered, is immune when it comes to a data breach. Just ask Facebook, Marriott, British Airways and T-Mobile, to name a few of the major businesses that were compromised.  

Unsurprisingly, cross-border cybersecurity incidents are expected to continue to rise this year, which means legal departments, especially those embedded in companies with an international reach, need to be prepared for a range of diverse challenges, according to a new report from Mayer Brown.

“If you have a global footprint, there's a very good chance that you're going to have to think about managing incidents on a global basis going forward,” said Stephen Lilley, a partner in Mayer Brown's Washington, D.C., office, who contributed to the firm's “2019 Outlook: Cybersecurity and Data Privacy” report.

“Most of our clients are facing multinational incidents and more of the incidents we're facing have multinational aspects,” he added. “U.S. data breaches that have implications in Europe are becoming more and more common. Even some of the more straightforward incidents that we see have multinational aspects at this point.”

The report highlights key issues that companies should expect to confront in responding to cross-border cyber incidents, from managing multinational forensics investigations and global legal risks to strategically engaging with law enforcement in different jurisdictions, preserving privilege and dealing with the extraterritorial application of data privacy and security laws.

In the wake of a cross-border cyber incident, a company should act quickly to identify the geographic locations that have been affected and determine what data has been corrupted as part of the breach. Next, the company is going to have to consider the diverse legal issues that pop up in different jurisdictions and prepare to manage competing legal interests across borders.

A company's primary legal risk might be in one country, such as the jurisdiction where it is headquartered, but the underlying breach might have occurred in a different country. In that situation, the company should consider “where are all the issues going to play out and how do I address this in a way that prioritizes the response based on the level of risk I face?” Lilley said. His practice focuses on interrelated litigation, regulatory and policy challenges.

“An easy pitfall to make is to let one jurisdiction drive the response without having stepped back and looked at the full range of issues that you're going to have to face and the full range of jurisdictions that are going to be implicated,” he added.

Working with law enforcement agencies in different countries poses another hurdle that companies and in-house counsel would be wise to approach strategically, which could involve deciding which agencies to work with and the potential trade-offs, including losing control over certain aspects of the process and confidentiality, according to the report.

“You need to have people who understand the market and the law enforcement agencies,” Lilley said. “It's very difficult to engage with European law enforcement from the U.S., for example.”

The report further notes that many countries recognize attorney-client privilege, but the level of protection varies in application and scope. Some jurisdictions, for instance, provide fewer protections for in-house counsel work product.

As more jurisdictions throughout the world adopt data privacy laws, including the EU's General Data Protection Regulation and Brazil's new general data protection law, businesses should be evaluating the “full range of legal regimes to which they may be subject to and which supervisory authorities they will be required to coordinate with,” the report states.

Data breaches are happening across a wide range of industry sectors, but the industries that are heavily regulated, such as financial services, face a more difficult path after an incident, according to Matthew Bisanz, a financial services and regulatory enforcement associate at Mayer Brown in Washington, D.C.

“There's an increased complexity because there likely is a regulator in every jurisdiction who will have their own standard and timing requirements,” he said. “That can be more complicated than an industry where there is no end-to-end regulatory framework.”

Read More: