With the proliferation of online attacks, inhouse counsel are becoming increasingly involved in their organisation’s cybersecurity, finds Pearl Liu
In the wake of the much-publicised cyber-attack against a digital toymaker VTech in Hong Kong last December, cybersecurity is likely to remain at the top of the agenda for many corporate boards and general counsel.
The attack breached one of VTech’s learning apps and compromised almost 5 million parent accounts, exposing data from 6.4 million children. The compromised data included children’s names, genders and birth dates as well as their parents’ names, mailing addresses, email addresses, secret questions and answers for password retrieval, internet protocol addresses, download history and encrypted passwords.
The incident was reminiscent of the much larger 2011 attack against Sony’s PlayStation Network that compromised some 77 million accounts and shut down the network for 23 days.
The growing risks from online data breaches have resulted in greater pressure on legal department of just about every corporation. More than half of inhouse counsel report that their companies are increasing spending on cybersecurity, while one-third said that their companies have experienced some kind of data breach, according to a recent report by the Association of Corporate Counsel Foundation (ACC).
“In-house counsel operate at the intersection of complex legal and business challenges facing companies today,” says Veta T. Richardson, president of ACC. “Therefore, it is not surprising to see that general counsels and chief legal officers are playing an increasingly active role in cybersecurity strategy, risk assessment and prevention.”
Asia as a whole has seen tenfold or more increases in access to the internet since 2002, but this has been accompanied by huge growth in cybercrime.
Cybersecurity is no longer the exclusive concern of governments or departments that manage an organisation’s critical infrastructure. Rather, it is an issue for any entity or unit that holds customers’ personal data or sensitive company data.
“We can see that more of our enterprise customers are asking us about information sharing for their board directors and senior management. We can see that they notice there are things they need to do, but they need to move fast on that,” says Michael Chue, General Manager for Greater China at FireEye.
“You [the company] have the obligation to protect the data that you hold,” says Jonathan Fairtlough, managing director of cybersecurity and investigations at Kroll, a U.S.-based firm focused on risk mitigation and response solutions. “You have to be aware that someone or some organisation online is trying to steal your data. Companies need to prepare themselves and make sure that they have a cybersecurity strategy [that covers] technical and legal [issues].”
This reality is a great source of concern for in-house counsel, particularly because of the high level of confidentiality that their work requires as well as the fact that they often handle financial data, customers’ information and even employees’ personal details. Companies can suffer significant losses if cyberthieves gain access to such information.
“It depends on the type of company that you are involved in, but generally speaking, maintaining data integrity and security is more challenging than ever. It is critical to have oversight on data security issues and to make sure you understand the specific privacy laws of the jurisdiction in question because they all differ slightly,” says Christopher Chan, director of legal and government affairs at RedMart, a Singapore-based e-commerce company. “I spend a couple hours of my time each month on data privacy. It’s not the biggest focus, but we need to ensure that we can keep our data secure. There are a lot of simple steps that can be taken to prevent a breach. Early on, a company should focus on the easy wins, such as mapping the data along with restricting and logging access.”
He adds, “Financial institutions have much more sensitive personal data and must maintain a higher level of privacy due to the information that they have. As an e-commerce company, we decided not to store our customer’s payment information on our servers. Accordingly, we partner with payment providers to keep a higher standards for our customers’ peace of mind.”
Cybersecurity breaches have become rampant in Asia, which accounts for eight of the top 10 countries most vulnerable to internet crime. Last year, according to FireEye, a network security solutions provider, Asian companies were targeted 35 to 40 percent more than the global average.
According to statistics from a report released by consultancy firm Grant Thornton last September, Asia-Pacific businesses spent $81 billion in cybercrime-related expenses in the previous 12 months. In comparison, the total cost of cyber-attacks globally was $315 billion.
Gladys Chun, general counsel at Lazada Group, an e-commerce platform with a presence across Southeast Asia, says her company is fully aware that the widespead use of the internet and smartphones increases the risk and exposure to cyberattacks.
“A lot of the crimes nowadays are actually cyber-related crimes. This is a very important issue particularly for those who are involved in e-commerce like Lazada,” says Chun. “Now there are more channels where crime can take place, and there are so many forms [of crime] as well. It just widened the avenues available for fraud to take place and for hackers to hack.”
Lazada has taken both reactive and proactive approaches to protect itself and fight back against cyber-attacks. For the company’s legal department, more collaboration is required as “no one solution fits all.”
“You have to take both approaches at the same time. We have a dedicated team in place that runs security checks, does penetration testing and all the detecting. We have a data protection officer. We also have a lawyer who specialises in data privacy issues to deal with all these,” says Chun. “The initiative is led by our information security team and we play a supporting role. It is a critical and instrumental in defining what a [company] can and cannot do.”
Lazada’s efforts include educating business colleagues about cybersecurity, regularly outlining legal requirements and compliance issues, constantly revising privacy policies and putting adequate controls in place. “Basically, we provide them with a framework as to the modus operandi [of cyber-attacks],” shares Chun.
This kind of collaboration does not only happen between different units in a company. Sometimes, the legal department needs to work with external cybersecurity services. Currently, a lot banks, retailers and other institutions that hold tons of customers’ financial and personal data seek professional partners to protect their data from online breaches.
The constant threat of cyber-attacks has upped the pressure on just about every department of an organisation, including in-house counsel. But what matters most is how the risks are managed and the challenges dealt with.
“There is no way that you can eliminate cyber risk at the current stage. Today you may manage to discover one attack, but tomorrow 10 will come. It is an ongoing battle. A company should always take proactive measures to either improve their systems or get updated in terms of new security measures that are available to better protect company assets,” recommends Chun. “The non-legal teams view us as a value-added department for sure, and they turn to us earlier instead of after attacks happen, which is a good thing. They look at us as a business advisor as opposed to a prevention unit.”