General counsel to take on added responsibility

With cyber crime and data security becoming prominent concerns in every organisation, the role of general counsel is set to expand, requiring them to hone their skills in combating IT threats.

Emma Musgrave • 10 January 2017 • Corporate Counsel

Originally published in Corporate Counsel, David Remnitz from Ernst & Young’s global forensic technology and discovery services practice and Timothy Ryan, an Ernst & Young principal in cyber investigations and forensic technology, said general counsel are increasingly becoming the “go-to” people for handling matters arising from data breaches.

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Lawyers Weekly. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

“We are seeing chief legal officers and GCs involved as the nucleus, including the chief information officer, the chief risk officer in some instances, often a chief information security officer, and all the way up to the board of directors, along with outside counsel,” Mr Remnitz said.

“In breach response, like any action that carries the possibility of litigation, general counsel better be involved,” added Mr Ryan.

“I frequently say that you can either work on preparing for a breach or you can wait for one to happen, but on breach day you will be enmeshed. Unlike the old days, there is no way that a GC cannot be involved in a breach response,” he said.

Commenting on current trends in cyber security, Mr Ryan said Ernst & Young is seeing an increased awareness of “insider threats”.

VIEW ALL

“[These are] risks brought by employees, contractors and trusted partners who are misusing information or taking information through inappropriate means for inappropriate purpose,” he said.

“And we are seeing increased hacking by external groups: defacing or disabling public websites, or stealing information of value, such as medical records, intellectual property information and financial data.”

Mr Ryan noted that the company is also seeing larger breaches coming off the back of smaller, unmitigated incidents.

“There are often a series of small steps that go back months or years when the company saw something that needed fixing and it didn't get fixed,” he said.

“Regulators are constantly looking at how companies prepare for a breach.

“A breach alone is not a scarlet letter [to regulators], but failing to prepare for one is. And we're seeing that board members are increasingly concerned about not only risk to the company but also personal liability.”

Emma Musgrave

Emma Musgrave (née Ryan) is the managing editor, professional services at Momentum Media.

Emma has worked for Momentum Media since 2015, including five years spent as the editor of the company's legal brand - Lawyers Weekly. Throughout her time at Momentum, she has been responsible for breaking some of the biggest stories in corporate Australia. In addition, she has produced exclusive multimedia and event content related to the company's respective brands and audiences.

Prior to joining Momentum Media, Emma worked in breakfast radio, delivering news to the Central West region of NSW, before taking on a radio journalist role at Southern Cross Austereo, based in Townsville, North Queensland.

She holds a Bachelor of Communications (Journalism) degree from Charles Sturt University.

Email Emma on: Emma.Musgrave@momentummedia.com.au

Fabian Horton Saturday, 14 January 2017

@Glenno There are definitely parts of the cyber security spectrum that lawyers should have involvement in. As we know, a lot of the issues relating to cyber security and cyber breaches don't have much to do with technology as much as they have to do with risk and people management. A cyber team needs lots of skilled people from many disciplines.

For my part, I have been researching lawyer skills for many years now and it has become apparent that lawyers have a lot to offer in this area. And with some specific training lawyers can be a valuable first responder. Even if they are just part of the management team that gets the experts together and stops everyone else from losing their heads. I am currently writing a Masters subject that includes a cyber security module. In today's digital world, these are skills that every lawyer really should have.

0
- Glenno Monday, 16 January 2017
  
  Suitably skilled and informed lawyers do have a role in cyber security Fabian. My suggestion is that such lawyers are few and far between and the one thing you shouldn't want is an unskilled and ill-informed lawyer making contributions just because he/she is GC. Positional authority should never be confused with competence. The British Army made that mistake repeatedly in WW1 and it cost millions of soldiers their lives...
  
  As for lawyers being valuable first responders, I wonder what role you envisage? In my experience, first response is about bringing order to chaos and putting a fence around the incident - whether it is an intrusion, a leak or executing a search warrant or Anton Piller order on another party. A lawyer may advise as part of the prep for the latter and may participate in review of the former, but first response is, from my experience, mostly technical in nature so the lawyer would need to the 'smarts' of the technician he/she is replacing.
  
  I am reminded of something one of the instructors said on an EnCase computer forensics course I did some years back - "If you don't know exactly what everything in the software does, don't touch it. Your ignorance will probably put the whole case in jeopardy." I passed the course but realised that I did not possess the 'smarts' to replace a technician on first response. Even lawyers need to know their limitations. My fear is that lawyers will do your one masters unit and incorrectly conclude that they now have the 'smarts'.
  
  0
Glenno Tuesday, 10 January 2017

From what I have seen of lawyers and their IT skills/knowledge, this is going to be one extremely steep learning curve for many GCs. IT security is a very specialist area that is simply not something you pick up overnight by reading a couple of computer magazines or by doing an hour or two of CPD. Indeed, just Google 'cyber security degree' to see which universities are offering undergraduate degrees in that area. Then ask yourself, would you hire a graduate IT security person straight out of university to oversee corporate IT security? Probably not!

My advice is that unless you have years of IT security experience under your belt and are cutting edge on the latest threats, leave it to the experts! Which is sort of what EY is trying to push us all into concluding by very subtle nudges. "If you don't understand things, give EY a call!" When you are considering that response, just remember that there are other specialist IT security firms out there who are just as good, if not better, and who won't charge like wounded bulls.

0

You need to be a member to post comments. Become a member for free today!

Lawyers Weekly - legal news for Australian lawyers

SECTIONS

MORE

General counsel to take on added responsibility

Emma Musgrave

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED