The increased prevalence and impact of cyber threats is forcing general counsels to grow into a strategic leadership role in terms of organizational management of data risks; so says the 2021 edition of the “General Counsel Report” from data management firm Relativity and business advisory firm FTI Consulting.
General counsels have switched focus from looking for reasons to cut cybersecurity budgets to taking a leadership role in implementing plans to mitigate an ever-growing field of data risks and their potential costs. The majority of those surveyed currently see privacy and data security as the primary area of legal risk, and for the first time a majority of respondents also feel that attorneys have adequate technical proficiency.
Pandemic pushes expansion of the duties of general counsels
The survey included a broad range of annual revenues, employee counts and industries. The methodology is also unique in that a representative personally interviewed the general counsels at each of the respondent organizations.
These interviews were conducted in August and September of this year, and the general finding is that the pandemic has been a strong driver of the expansion of the duties of general counsels. The root cause is the shift to a majority of work being done from home, something that has come with a sharp rise in data risks as cyber criminals hone in on this vast new collection of vulnerable endpoints and cloud services.
65% of all respondents saw privacy, data protection, security, and/or data risk as the top area of legal risk for their business. The general counsels listed their key concerns: lax employee security when using email and video conferencing platforms, compliance issues with emerging data sources, extension of network security measures and policies to home-based devices, and how the use of “shadow IT” solutions might impact compliance among them.
This had led to a natural and expected drop in feelings of preparedness for data risks, with every category decreasing significantly from the numbers gathered in 2019: compliance with data privacy laws, information governance, data remediation, implementation of emerging data sources, readiness for cyber attacks, AI and machine learning, and blockchain applications. In spite of this there is a small increase in confidence in the technical proficiency of the organization’s attorneys; 55% now feel that the legal team is adequate in this area, compared to only 39% in the 2019 report. This change is generally attributed to a lack of the usual level of IT support and administrative assistance due to pandemic conditions, leaving general counsels to become self-sufficient in using the variety of tools for remote work.
With this increased use of remote work technologies, there seems to have been a corresponding uptick in general counsels becoming champions of onboarding new technologies. There was an increase in the use of AI for legal functions, the overall number of unique software products found in the technology stacks of legal teams, and in the use of SaaS and other cloud-based technologies to perform legal tasks. This is in spite of organizations often halting some or all of their planned roll-outs of new technologies due to the onset of the pandemic. Some have used the crisis as a prompt to abandon local storage entirely and move everything to the cloud.
Handling the new world of data risks
Though general counsels have been expected to work with chief information security officers (CISOs) as part of the governance process at least since the EU’s General Data Protection Regulation (GDPR) was passed, the proactive role in planning for data risks has clearly increased in this past year. It is simply no longer feasible for any business to let cybersecurity languish as a low priority given the increased amount of attacks and potential severity as companies pivot to a longer-term remote work model.
At some organizations, management of these new data risks has meant quickly getting up to speed with best practices that have been established in recent years. One that has become particularly important is the creation of a data map that tracks exactly what is passing through potentially insecure endpoints (such as the devices that employees use at home). Updated incident response and crisis management plans (regularly tested with simulated exercises), patching regimens, employee phishing training, and backups of critical data are all key items on this particular menu.
Data risks have shot up the list of priorities quickly in recent years as the average cost of data breaches and recovery has gone way up. Cybersecurity is not necessarily bumping these items from the list, however; in many cases it dovetails with usual focal points of risk management like contractual arrangements with third-party suppliers, regulatory compliance preparations and corporate reputation management. This even ties in with shareholder engagement, as owners are increasingly aware of and concerned about the handling of personal information and data protection measures.