In-house counsel often left in the dark on cyber threats

They may not have a lot in common with the IT department, but general counsel are becoming increasingly concerned about cyber-security threats to their organizations and they are starting to ask more questions about what they can do to help mitigate risk.

“Every company takes steps to protect their information — but there is an element out there that will utilize the resources they have to access information and it becomes that much more important that we do everything we can to reasonably protect against that risk. And it has become a higher priority item for us,” says Robert Piasentin, general counsel for Vancouver-based Sierra Systems, an IT consulting firm.

Chatter seems to be reaching a new pitch. Consider U.S. President Barack Obama’s reference to it in the State of the Union address last week, when he noted he has put forward an executive order to improve the nation’s cyber security. With attacks on both private and government systems becoming more frequent, the goal is to try and focus attention on the problem.

It came a week after the Consero Group consulting firm revealed in its 2012 General Counsel Survey 30 per cent of GCs they talked to said their companies were not prepared to defend against cyber attacks. In addition, 28 per cent said their companies had experienced a cyber security breach in the past 12 months.

The Association of Corporate Counsel’s recent survey of CLOs also listed “data breaches and protection” as one of the top issues keeping them up at night.

Lou Milrad, of Toronto-based Milrad Law, can see why all this is bubbling up to the surface. Milrad has been working with in-house legal departments — especially municipal governments — in the area of cyber security for a number of years, especially regarding mobile devices used and owned by employees for corporate work. He sees a communication gap between the IT teams and the legal department.

“My big concern, quite frankly, is that the IT departments are not reaching out to the in-house counsel and making them part of the team that does the evaluations. There can be quite a few risks around breach of privacy, IP violations, and that kind of thing,” says Milrad. “Consider things as simple as if an employee leaves and the corporation made a decision to use the employee’s device — does it have the ability to do an audit or inspection of that device?”

When corporations are putting together policies around IT they will bring in the business unit owners, but Milrad says it doesn’t seem in-house counsel are top of mind. They should be because they are the ones who can help develop strategy and create policies to protect the business.

“In-house legal departments need to be more aware and get more involved in working with their IT directors and chief information officers,” says Milrad.

Piasentin says Sierra Systems’ IT department is partially based in the U.S. and he says they are “often hyper-sensitive to the nature of cyber threats” given the kind of work the company does.

“They’re always going further than most businesses might consider necessary to make sure we’re protected against a cyber threat,” says Piasentin. “They will try and bring me in when they think there’s something that needs to be decided from a policy level, or if there’s an actual attack on-going — not that we’ve had very many. I try to insert myself to the extent I can to make sure we’re not doing anything in violation of any applicable legislation.”

In the event of a data breach, Piasentin says he would be the first person the IT department would contact to inquire what the response should be from the legal and business perspective.

“In some situations I’ve gone to external counsel when I needed to get additional advice,” he says.

Often, he says actions would probably depend on what was lost. In some cases loss of data around clients could trigger an investigation from the privacy commissioner.

“The first question is always, ‘What has actually been breached?’ We’ve fortunately never got to that stage where client information was lost of any sensitive nature,” he says.