A new report from global law firm Hogan Lovells has surveyed 550 international business decision-makers and found that their organizations are usually not prepared for legal issues arising from technology risks.
68% of the respondents said that technology is a core part of their growth strategy, but 50% do not have an up-to-date cybersecurity incident response strategy and only 31% drafted that strategy in consultation with a legal team. Among other alarming statistics revealed by the study, about two-thirds of organizations are not properly screening the credentials of third-party vendors to safeguard against a supply chain breach.
US organizations still struggling to adequately address technology risks
Entitled “Litigation Landscape: How to Prevail When Technology Fails,” the report surveyed general counsels and data privacy officers at international companies with an annual turnover of between $200 million and $1 billion. These organizations were distributed roughly evenly among seven different industries; the majority were from the US or Europe, but about 130 companies from the larger economies in the Asia Pacific region were surveyed as well.
The report confronted these decision-makers with a variety of potential legal issues arising from common technology risks: technology malfunctioning on customers, algorithms inadvertently discriminating against certain groups of people, and new vulnerabilities created by onboarding new technology for just a few examples. Technology risks to businesses are only increasing over time as new elements must be onboarded quickly, social media helps to spread news of vulnerabilities or issues very quickly, and tighter regulations come online across the world.
Businesses are having particular issues keeping up on the fronts of cybersecurity and protection of private data. Though hacking has increased dramatically since the COVID-19 pandemic expanded work-from-home arrangements, about half of all businesses surveyed reported that they do not have an updated cyber response plan that accounts for a full range of pertinent risks.
Most businesses (76%) do have some sort of cyber response plan in place, outdated though it may be, but only a third of these (31%) looped in a legal team while developing it. This is in spite of about 66% of all businesses agreeing that a data breach was likely to lead to expensive lawsuits or fines.
Only 38% of senior executives expressed confidence in the safeguards that are in place to handle present threats. A similar number of organizations are not adequately screening their suppliers and vendors for the possibility of a third-party data breach. Senior leadership also tends to be removed from decisions regarding technology risks, with only 9% of organizations reporting that they are involved and view this category as being as important as more traditional business risks. Only 35% report having confidence in senior executives to handle technology risks; this concern is perhaps well-placed, as only 6% report viewing technology risks as being on par with financial risks. Additionally, 56% of boards are not currently considering how to mitigate critical technology failures that could either take down internal systems or render consumer products inoperable.
Technology risks related to algorithms gone awry is an area of concern that looks to become a serious problem in the near future. 45% of the businesses surveyed are not checking any of their technology products for the possibility of an algorithmic bias in terms of demographics such as race or gender. This has been demonstrated to be a problem area in various facial recognition systems; the most common culprit is a failure to include an adequately representative sampling of all groups in the models used to train algorithms to recognize features and details. One area that is experiencing rapid adoption (with potentially poor evaluation of potential bias) is the use of human resources (HR) software algorithms to automatically screen candidates for job openings and promotions. Some other examples that the report cites include gender bias in determining credit limits and racial bias in prioritizing patients for medical care.
Bring tech and legal divisions together to weather technology risks
What can businesses do to improve the situation? According to Hogan Lovells, one of the biggest keys is getting boards and C-suites involved in the process of identifying technology risks. Equally important is the involvement of both legal teams and privacy specialists familiar with relevant regulations. Businesses also need to focus their attention heavily on two key areas of vulnerability: the supply chain, and risk monitoring that extends through the entire life cycle of the technology. The researchers suggest that the way to begin facilitating all of these things is to create new technology-specific roles that are added to the board, and potentially to create a technology risks board committee (in situations where it makes sense). The report’s parting warning is that a “surge” of cybersecurity-related litigation is coming, and businesses that actively bring the tech and legal divisions together will be in the best position to weather it.