Lawyers Champion Cyber Security Culture Change with Senior Executives

May 26, 2020 9:40 am Robert O'Brien

Most computer systems contain sensitive data that belong to individuals such as customers, employees, or third parties. If that data is stolen or compromised by a hacker, the consequences can be dire.  

Data Privacy law in many jurisdictions carry large sanctions. In some countries, the data owners can institute legal action against the organisation for damages.  

Organisations can incur substantial notification expenses. The reputational damage is magnified further with laws requiring businesses to inform individuals when their personal information has been compromised in a data breach. 

The legal profession is charged with protecting their clients and organisations through minimising the effects of this type of situation.  

As information security and data protection have become part of our digital world, the liabilities surrounding these issues have also manifested themselves within legal contracts.  

Prior to the Millennium, these issues formed a very small part of any contract negotiations. Nowadays, it is common for significant debate to take place around Cyber Security risk and data protection liabilities. Both parties in contract negotiations are only too aware of the significance of failing to protect their interests in these vital areas.  

Lawyers involved in the negotiation of commercial contracts have had to invest in understanding the impact of the risks posed by Cyber Security and data protection threats.  

As a result, the legal profession finds itself at the forefront of understanding the highest levels of data protection husbandry combined with the requirement to implement a root and branch approach in the way Cyber Security is viewed within the organisation.  

“Too often data protection and Cyber Security are viewed as technical issues requiring a technical response, but this approach ignores the operational, financial and reputational damage that a breach can cause. If data adds value to your business, do not let that asset become a liability. Put discipline on it, and security around it, and harness its real value.” – Adrian O’Connell, Partner & Head of Contracts & Technology at Tughans Solicitors 

Often, this results in legal advice that calls for organisations to obtain Cyber Security insurance to mitigate the risk of a security incident. This has led to a growth in the global market for Cyber Security insurance, which is expected to reach $28.6 billion by 2026, according to a recent report published by Allied Market Research

Like car insurance, Cyber Security insurance is only of value after the damage has been done. The real challenge is avoiding data breaches and mitigating Cyber Security risks, where possible.  

Lawyers have a key role to play here in promoting in the way these two issues are viewed at board level. They can see the magnitude of the risk from a contract point of view and are able to translate that into real business risk that the leadership function can understand. This translates Cyber Security risk from being an IT problem to a wider business problem that executives can readily act upon.  

How to build a Communications and Awareness Plan on Policies

With the in-house legal function increasingly involved in major strategic decisions relating to governance, risk, and compliance, it is often the responsibility of the legal department to foster a culture of compliance and ensure that staff fulfill their Cyber Security responsibilities.

To help formalise a ‘best practice’ approach to internal policy management, OCEG has produced a helpful illustration which details the organisational lifecycle of policy management and the training environment.

 Click here to download now.