Managing cyber risk

If they didn’t have enough on their plate already general counsel are feeling the pressure to become more concerned about the risk of cyber-security threats to their organizations and they are starting to ask more questions about what they can do to help mitigate that risk.

“Every company takes steps to protect their information — but there is an element out there that will utilize the resources they have to access information and it becomes that much more important that we do everything we can to reasonably protect against that risk. It has become a higher priority item for us,” says Robert Piasentin, general counsel for Vancouver-based Sierra Systems, an IT consulting firm.

Chatter on this topic seems to be reaching a greater pitch. Consider U.S. President Barack Obama’s reference to it in the State of the Union address recently, when he noted he has put forward an executive order to improve the nation’s cyber security. With attacks on both private and government systems becoming more frequent, the goal is to try and focus attention on the problem.

His message came a week after the Consero Group consulting firm revealed in its 2012 General Counsel Survey indicating 30 per cent of GCs they talked to said their companies were not prepared to defend against cyber attacks. In addition, 28 per cent said their companies had experienced a cyber security breach in the past 12 months.

The Association of Corporate Counsel’s survey of CLOs also listed “data breaches and protection” as one of the top issues keeping them up at night.

Lou Milrad, of Toronto-based Milrad Law, can see why all this is bubbling up to the surface. He has been working with in-house legal departments — especially municipal governments — in the area of cyber security for a number of years,  in particular around mobile devices used and owned by employees for corporate work.
He sees a communication gap between the IT teams and the legal department.

“My big concern, quite frankly, is that the IT departments are not reaching out to the in-house counsel and making them part of the team that does the evaluations.
There can be quite a few risks around breach of privacy, IP violations, and that kind of thing,” says Milrad. “Consider things as simple as if an employee leaves and the corporation made a decision to use the employee’s device — does it have the ability to do an audit or inspection of that device?”

The numbers cited in the Consero survey actually sound low to Mike DuBose, managing director and head of Kroll Advisory Solutions’ cyber investigations practice, an organization often brought in after a data breach has occurred. “I would suggest the number of those not prepared to handle this is a much greater percentage,” says DuBose. “I think there is a gap between the concern and knowing what to do because for so long IT security has been left to the IT staff and they’re very good at their jobs but when it comes to preventing and investigating breaches that’s not their specialty.”

When corporations are putting together policies around IT they will often bring in the business unit owners, but Milrad says it doesn’t seem in-house counsel are top of mind for inclusion in those discussions. But they should be because they are the ones who can help develop strategy and create policies to protect the business.“In-house legal departments need to be more aware and get more involved in working with their IT directors and chief information officers,” says Milrad.

Piasentin says Sierra Systems’ IT department is partially based in the U.S. and they are “often hyper-sensitive to the nature of cyber threats” given the kind of work the company does.“They’re always going further than most businesses might consider necessary to make sure we’re protected against a cyber threat,” says Piasentin.
“They will try and bring me in when they think there’s something that needs to be decided from a policy level, or if there’s an actual attack on-going — not that we’ve had very many. I try to insert myself to the extent I can to make sure we’re not doing anything in violation of any applicable legislation.”

In the event of a data breach, Piasentin says he would be the first person the IT department would contact to inquire what the response should be from the legal and business perspective.“In some situations I’ve gone to external counsel when I needed to get additional advice,” he says.

Often, he says actions would probably depend on what was lost. In some cases loss of data around clients could trigger an investigation from the privacy commissioner.“The first question is always, ‘What has actually been breached?’ We’ve fortunately never got to that stage where client information was lost of any sensitive nature.”

One of the things DuBose says Kroll recommends to companies that have concerns is to get an independent information risk assessment by a third party firm.
“We do them, others do them, but it’s a way of getting a network health check up on your system — both on policies and data retention procedures, vulnerabilities in software — and really gives a good sense of where you are and where the state of your data security is,” says DuBose.

Barry Sookman, a technology and intellectual property lawyer with McCarthy Tétrault LLP in Toronto says there are more class action lawsuits emerging around data breaches. For example, when Sony’s PlayStation Network was hacked and personal information of account holders was exposed it gave rise to a class action in Canada. “Every major corporation in this country is either at risk of being infiltrated, has been infiltrated and knows it, or more likely has been infiltrated and doesn’t know it, and their trade secrets and personal information is all going overseas. It’s a huge problem,” says Sookman. “There is also the threat to crippling power grids, water supplies, and other utilities as well as the financial system. That is a clear and present danger we’re facing.”

Sookman says he is getting more questions from general counsel on cyber threat risks.“I definitely get those kinds of questions. It can be about social media policies or they’ve had a data breach. They may not have had to work through them before. GCs are very interested in these issues, and is very top of mind for CEOs, CIOs, and general counsel. But it’s also a concern for lawyers in the bigger companies who are specialists in these areas who go internally because they have developed expertise in this area themselves. If it’s a big data breach case though they’re going to call outside counsel.”

While some general counsel may feel it’s not their territory to call for the kind of review DuBose recommends it may be time for data security to become just as important as other areas of risk the in-house department oversees.

“We have seen breaches where we’re retained by outside counsel for privilege issues but the general counsel has a major decision making role in what happens and what they’re willing to pay to clean up the mess,” says DuBose.

While there’s no such thing as a 100-per cent secure network, DuBose says 95 per cent of all breaches can be avoided with some medium cost security measures implemented.
When it comes to cyber threats of trade secrets and other proprietary data, over two thirds of that type of cyber threat is a result of activity by malicious insiders such as ex-employees or angry IT administrators on their way out.

With increased focus on the issue of cyber security DuBose predicts there will be more civil actions litigating liability for negligence or recklessness on the part of companies in breach situations, he says. “It’s already starting in insurance companies who are looking at cyber liability insurance and requiring from their clients certain conditions and measures be implemented before they are eligible for that kind of insurance.”