In-house counsel confronting a steadily growing number of privacy and cybersecurity issues with finite resources are being forced to juggle strategies for staying on top of an evolving landscape.
Major cyber threats, including the recent SolarWinds and Microsoft Exchange hacks, and new privacy laws in California, Virginia, and elsewhere are competing for attention in legal departments already grappling with Covid-19 and other issues.
“In-house counsel tends to have a number of portfolios unless you’re a huge company with specialized lawyers,” said Tom Zych, head of the privacy and cybersecurity and emerging technologies groups at Thompson Hine LLP in Cleveland. “With the rapid changes of laws and regulations, keeping up with everything is a challenge.”
Nearly 90% of chief legal officers expect data privacy issues to accelerate in 2021, topping other areas such as diversity and inclusion and environmental, social, and governance matters, according to the Association of Corporate Counsel’s annual survey.
General counsel and chief legal officers need to leverage outside law firms strategically to craft compliance plans and develop goals, and closely track their corporate boards and third-party vendors for proper security and compliance measures, attorneys say.
“In-house counsel have been caught in the squeeze in terms of velocity with everything that’s going on,” Zych said. “They need visibility with the external world, with all the developments in this space, as well as visibility into their inside world and processes.”
Chief legal officers named cybersecurity, regulation and compliance, and data privacy as the three most important of fourteen issues provided to them in the survey.
That’s in line with emerging trends from over the past few years, and those concerns are only set to increase as the regulatory landscape grows more complex and the risk of cyberattacks ratchets up, said Dan Sholler, product marketing manager at Exterro, an e-discovery platform that helped conduct the survey.
“The chief legal officer is being forced by this focus on data to take on the job of managing this big hunk of risk,” Sholler said.
Cyberthreats include phishing campaigns that target employees, and large-scale supply chain attacks such as the one that affected
Another risk lay in complying with regulations such as the California Consumer Privacy Act, which took effect last year, said Steve Stransky, a partner at Thompson Hine in Cleveland. That risk is set to increase with new obligations imposed by the California Privacy Rights Act and Virginia’s Consumer Data Protection Act, both of which take effect Jan. 1, 2023.
Despite business challenges brought about by the coronavirus pandemic, about one-third of legal departments said in the survey they planned to add lawyers to their in-house teams. Nearly half said they expected to outsource more legal work to firms in 2021.
“Most departments are going to tell you that they’re running very lean right now,” said John Gilmore, managing partner of BarkerGilmore, a legal and compliance recruiting firm. “But hiring for data privacy and security roles is a big concern” despite tight budgets, he said.
Still, even if a company is lacking in the resources to hire additional in-house or outside counsel, it should use legal operations professionals to streamline key processes, said Veta Richardson, the Association of Corporate Counsel’s president and CEO.
“By having a dedicated professional who has business savvy and skills, it allows the lawyers to pivot and focus on what they do best,” Richardson said. “They can focus on legal counseling and being part of a business team to develop strategy.”
Using legal operations tools such as e-billing and matter management systems help in-house counsel prioritize their time, said Nathan Wenzel, founder of SimpleLegal, a software company.
Automating some oversight of third-party vendors and leveraging technology to keep track of vendors can also help free time for in-house counsel, and these techniques have become more critical in the wake of the SolarWinds Corp. and Accellion Inc. supply chain attacks, said Sachin Bansal, general counsel at SecurityScorecard, a cyber-risk company.
In-house lawyers should get to know the chief information security officer at their company well, Bansal said, because CISOs are so heavily involved in mitigating cybersecurity risks that can quickly morph into legal headaches.
Ensuring visibility over a company’s board is vital as security threats become more ingrained in all aspects of a company’s risk profile, he said. General counsel should work with CISOs to ensure updates are understandable and not so technical that board members can’t understand.
“Boards don’t always have cybersecurity expertise, so there can be a lost-in-translation issue,” Bansal said.
Part of the challenge rests in the sheer number of U.S. and international developments, said Peter Yeung, London-based general counsel and chief information officer at Optimizely, a software company.
Though his in-house lawyers—four focused on the U.S., three focused on Europe, and one focused on Australia—juggle many issues, taking the time to stay on top of the news pays off in the long run, Yeung said.
“Each attorney is meant to dedicate about 15% of their time in researching, collaborating, and expanding educational knowledge on the data privacy regulation concerns within their region,” Yeung said.
Leveraging Outside Counsel
The breakneck pace of privacy and cybersecurity news means busy in-house counsel are relying more on outside firms’ legislation summaries and enforcement action analyses to understand which developments affect their business and learn how to cope with an increasingly complex regulatory picture.
“If you compare three years ago to today, I think law firms have gotten much better about putting out thought leadership that is much more focused on pragmatic advice,” said Cynthia Cole, a partner at Baker Botts LLP in Palo Alto and a former general counsel herself. “Firms are really trying to be a source of info for clients in a way they weren’t in the past.”
That constant stream of communication is especially helpful for “one-person shops” or legal departments with only a handful of attorneys, Cole said.
Having an incident response procedure and breach reporting plan in place is necessary to react effectively if and when a company is attacked, Bansal said.
“One of my day one tasks was having cyber counsel lined up and working with them on preventative measures, as well as keeping them at the ready if there’s an incident,” he said.
External counsel can also help with tabletop exercises—mock emergencies—so the company knows how to react in the event of a breach, Bansal said.
In-house attorneys should partner with firms that understand their company’s business model at a granular level, Yeung said. The top law firm isn’t always the best fit, and very specialized legal firms and advisers can often be more helpful, he said.
“If you’re in the software industry and you find outside counsel that’s great at data privacy and protection in marketing, that’s good—maybe for your marketing team,” Yeung said. “But you really want an outside counsel that has worked with other software companies and understands their inner workings.”