Data protection

As corporations devote more attention to cybersecurity, many are expanding the legal department's role to cover tasks like third-party risk management. But according to Grant Thornton's “2017 Corporate General Counsel Survey” of over 190 general counsel, that's far from where their cybersecurity responsibility ends.

Over half (58 percent) of general counsel surveyed said they were highly involved in responding to their organizations' data security risks and cybersecurity incidents. In addition, 23 percent said that responding to such risks and events were their “primary responsibility,” up from 11 percent in 2015.

Of course, it wasn't always this way. “When we did this survey two years ago, the CFO among other members of the C-suite were driving cybersecurity initiatives,” said Johnny Lee, principal and forensic technology practice leader for Grant Thornton's Forensic Advisory Services.

But as “breaches become more prevalent and as they represent more downstream risk—regulatory and litigation exposure, for example—we've seen a shift to legal departments taking the helm on the response,” he said.

In light of legal repercussions of cybersecurity incidents, he added, the legal department's participation in risk response can be an asset given the umbrella of attorney-client privilege. Depending on the nature and extent of a breach, such privilege may need “to be attached early if it's going to be invoked, and may need to be managed carefully if it's going to be protected and preserved.”

Lee cautioned, however, that the legal department's cybersecurity role “doesn't necessarily mean they're inserting themselves into insurance discussions or being the primary flag holders in front of the board. But it does mean, vis-à-vis the response, that they intend to be the standard bearers there.”

To be sure, legal departments have their cybersecurity work cut out for them. The majority of general counsel, 59 percent, said their organization was only “somewhat prepared” to handle a data beach, with many citing problems of overburdened IT staff and a lack of incident response management professionals in-house.

Over half, 51 percent, of GCs were also concerned about customer or client data privacy at their organizations, while 42 percent were concerned about the potential for undetected breaches and 38 percent about employee and workplace privacy protections.

Most legal departments were seeking to mitigate these risks through drafting data security policies (72 percent) or adding to policies already in place (62 percent). Moreover, 59 percent were implementing risk monitoring programs in-house, while 55 percent were developing incident response plans, and 53 percent were training end users on cybersecurity best practices.

Lee noted that while the amount of legal departments implementing training and incident response plans might seem low, it represents a significant increase over from the past two or three years, when around 20 to 30 percent of legal departments introduced such data security processes.

Beyond policies and training, legal departments are also turning to data analytics to manage risk within their own organizations, with 67 percent noting they employ analytics to better respond to their regulatory and compliance requirements.

Lee noted that the type of analytics most legal departments use are “descriptive analytics,” which are “intrinsically retrospective” and allow legal departments to “look at things that have already happened to try to discern patterns.”

“So one very common application of this analytics for in-house law departments is contract compliance, for example,” he said. Such analytics can look at “with whom do we have substantial vendor agreements, what are the common terms, what are the renewal periods, what are the discounts that we are able to get, what are the penalties for noncompliance, etc.”

Lee added, however, that a few legal departments are also using “analytics prospectively,” which help predict and manage future cyber risk and can be more helpful to an organization.

Such prospective analytics, he said, can be difficult for legal departments to implement because they require “clean reliable data, consistent reporting, similar reporting formats,” and other streamlined information governance processes.

Data protection

As corporations devote more attention to cybersecurity, many are expanding the legal department's role to cover tasks like third-party risk management. But according to Grant Thornton's “2017 Corporate General Counsel Survey” of over 190 general counsel, that's far from where their cybersecurity responsibility ends.

Over half (58 percent) of general counsel surveyed said they were highly involved in responding to their organizations' data security risks and cybersecurity incidents. In addition, 23 percent said that responding to such risks and events were their “primary responsibility,” up from 11 percent in 2015.

Of course, it wasn't always this way. “When we did this survey two years ago, the CFO among other members of the C-suite were driving cybersecurity initiatives,” said Johnny Lee, principal and forensic technology practice leader for Grant Thornton's Forensic Advisory Services.

But as “breaches become more prevalent and as they represent more downstream risk—regulatory and litigation exposure, for example—we've seen a shift to legal departments taking the helm on the response,” he said.

In light of legal repercussions of cybersecurity incidents, he added, the legal department's participation in risk response can be an asset given the umbrella of attorney-client privilege. Depending on the nature and extent of a breach, such privilege may need “to be attached early if it's going to be invoked, and may need to be managed carefully if it's going to be protected and preserved.”

Lee cautioned, however, that the legal department's cybersecurity role “doesn't necessarily mean they're inserting themselves into insurance discussions or being the primary flag holders in front of the board. But it does mean, vis-à-vis the response, that they intend to be the standard bearers there.”

To be sure, legal departments have their cybersecurity work cut out for them. The majority of general counsel, 59 percent, said their organization was only “somewhat prepared” to handle a data beach, with many citing problems of overburdened IT staff and a lack of incident response management professionals in-house.

Over half, 51 percent, of GCs were also concerned about customer or client data privacy at their organizations, while 42 percent were concerned about the potential for undetected breaches and 38 percent about employee and workplace privacy protections.

Most legal departments were seeking to mitigate these risks through drafting data security policies (72 percent) or adding to policies already in place (62 percent). Moreover, 59 percent were implementing risk monitoring programs in-house, while 55 percent were developing incident response plans, and 53 percent were training end users on cybersecurity best practices.

Lee noted that while the amount of legal departments implementing training and incident response plans might seem low, it represents a significant increase over from the past two or three years, when around 20 to 30 percent of legal departments introduced such data security processes.

Beyond policies and training, legal departments are also turning to data analytics to manage risk within their own organizations, with 67 percent noting they employ analytics to better respond to their regulatory and compliance requirements.

Lee noted that the type of analytics most legal departments use are “descriptive analytics,” which are “intrinsically retrospective” and allow legal departments to “look at things that have already happened to try to discern patterns.”

“So one very common application of this analytics for in-house law departments is contract compliance, for example,” he said. Such analytics can look at “with whom do we have substantial vendor agreements, what are the common terms, what are the renewal periods, what are the discounts that we are able to get, what are the penalties for noncompliance, etc.”

Lee added, however, that a few legal departments are also using “analytics prospectively,” which help predict and manage future cyber risk and can be more helpful to an organization.

Such prospective analytics, he said, can be difficult for legal departments to implement because they require “clean reliable data, consistent reporting, similar reporting formats,” and other streamlined information governance processes.