The State of Privacy: Does the US need a federal privacy law?

Reforming data privacy laws may not sound like a move destined to leave an enduring political legacy, but in policy-making circles the tropic casts a surprisingly long shadow.

‘One of the major hang ups of US leadership role has been the absence of a federal commercial privacy law in the country’, says Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

For many, the most puzzling question of all is why there is still a debate about the issue. In a world where data, and the power to regulate its use, is becoming a central part of statecraft, the United States is conspicuous in lacking a national data privacy law.

A decade ago, when the Obama administration started discussions on strengthening privacy regulations in the US, the business community considered the initiative as an unwanted and unneeded interference. Since then, it has become clear that the alternative may be far less palatable.

‘We are pretty quickly going down the path toward fifty plus privacy laws, which is the same place we have found ourselves with data breach notification law’ says Liz Benegas, general counsel of enterprise management software provider Totango.

Bob Jett, head of global privacy and risk at Crawford & Company, says the case for a federal law has never been stronger. ‘As citizens and consumers, we are only going to increase the number of things we do online. We can also see that some of the largest tech companies are stepping up and saying they want to be accountable for what they are doing in terms of privacy. They have realised that if they don’t self-regulate, the government might come up with stricter regulations than anticipated.’

Privacy, protection and pragmatism

New ways of working and the technology that enable them are creating all-new challenges for businesses – both legal and otherwise – with data privacy a headline concern for corporates of all shapes and sizes. GC speaks to leading professionals from across the WSG network to find out how they are advising clients navigating an increasingly complex corporate environment.

‘Technology has reshaped every aspect of legal life from the way research is completed, to how documents are filed, and, with the pandemic, how we appear in court via remote video platform,’ says Robert McFarlane, a partner at Hanson Bridgett and leader of the firm’s technology and intellectual property practices.

‘With remote applications come increased risks. All businesses, including law firms, must employ electronic and cloud security measures that minimise the chances of data leakage and the compromise of confidential client materials. We invest heavily in security measures and training and advise our clients to do the same.’

Critical to effectively evaluating current measures and implementing training – particularly from the perspective of corporate counsel – is a thorough understanding of the contemporary rules and regulations applicable across all relevant jurisdictions.

‘The keys to mitigating privacy incidents are actions taken prior to the incident itself,’ explains John Babione, a partner at Dinsmore & Shohl LLP. ‘For organisations operating across state lines in the US or internationally, the work done before an incident to know and understand what laws apply to the data flowing through the organisation will reap tremendous benefits for mitigating the harm.’

But in an area that is evolving as quickly as data privacy and protection, staying abreast of the rules of engagement – particularly when extraterritorial considerations are now also frequently at play – and managing the varying expectations and requirements represents an ongoing challenge for general counsel.

To manage this, Batya Forsyth, a partner at Hanson Bridgett and co-leader of the firm’s privacy, cybersecurity and information governance practice, advocates for maintaining the highest possible standards across the organisation.

‘We typically recommend clients comply with the strictest state privacy laws that could apply to their businesses,’ she says.

‘In recent times, this would be California state law—namely, the CCPA and upcoming CPRA, which goes into effect in 2023 and is very often compared to the GDPR, the EU’s well-known, highly-restrictive privacy scheme.’

Managing the challenges of data in the modern corporate environment can’t be limited to just in-house considerations though, with Forsyth advising that external suppliers and contractors be held to the same high standard as internal stakeholders.

‘GCs must have confidence that the vendors critical to the functioning of their business are committed to and are, in fact, protecting themselves as well,’ she says.

‘A comprehensive vendor management programme should provide a clearinghouse of relevant contracts, a thorough understanding of each vendor’s contractual security promises and insurance commitments, as well as a current audit of select vendors where appropriate. If contract provisions are missing or too lax, GCs should consider negotiating amendments or revisions at renewal.’

Public demand for new privacy laws has tended to be weaker in the US than other developed countries, though the disruptions of the last year and a half – pandemic-related issues like vaccine certificates, digital contact tracing and mobile health apps – have helped put privacy and data security at the forefront of public debate.

A recent poll by data intelligence organisation Morning Consult shows that 83% of voters wanted Congress to prioritise privacy legislation. Surprisingly, those who identified as Republicans were just as likely to hold this view as those who identified as Democrats.

For Cameron Kerry, a visiting fellow at the Center for Technology Innovation at the Brookings Institution, visiting scholar at the MIT Media Lab, and former general counsel of the US Department of Commerce, the significance of strong data privacy laws goes beyond the short-term benefits it would bring to consumers and businesses.   

‘In terms of the international picture, 2021 is a very important year for determining whether people can truly put their trust in American companies and technologies. Businesses want to see a consistent national standard rather than a variety of state standards that mean they have to re-engineer their systems each time they move to a new state.

‘American business has already had to adapt to GDPR, and many companies have internalised a lot of these practices and have acknowledged their advantages for themselves and their clients. There could not be much more fertile grounds for a federal law than we find today.’

Whether or not the US moves to pass a federal data privacy law, the number of states passing their own legislation has ramped up to the point that keeping track of developments can sometimes be a challenge even for the professionals. It also means that, whatever the next four years hold, the state of data privacy in the US is a question every GC will be following closely.

We spoke to those working at the sharp end of data privacy to find out what developments corporate counsel should be paying attention to.

A hill worth fighting for?

The drive to protect private citizens’ data in the US is arguably older than the country itself. Long before he worked to draft the Declaration of Independence and the US Constitution, Benjamin Franklin used his position as Postmaster General to ensure the privacy of communications sent by mail (to this day, the Fourth Amendment protects letters from search and seizure).

Subsequent lawmakers followed in this tradition, and in the last 50 years alone the US has introduced several notable pieces of privacy legislation, from the US Privacy Act 1974, which contained important rights and restrictions on data held by US government agencies, to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which laid down data privacy, security and confidentiality rules for health insurers.

In short, the US has never been inattentive to the importance of privacy. But for GCs struggling to navigate the patchwork of laws across governing data privacy across the country, the big hope is that the Biden administration will finally push for a comprehensive nationwide legislation.

In the run up to the presidential elections in November 2020, privacy specialists were convinced that, whatever the outcome at the ballot, federal legislation would soon follow. Draft bills from both sides of the aisle were circulating in Congress, and when Senators Roger Wicker (a Republican) and Maria Cantwell (a Democrat) introduced the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (USCDPA) in November 2019, it seemed like an often-polarised political system had at last found common ground. That the election ultimately swung in Biden’s favour only served to reinforce this confidence.

‘Parts of the Trump administration had an interest in weighing in on privacy legislation and trying to help move that forward, but there wasn’t any high-level interest in this issue’, says Cameron Kerry. ‘However, Biden, and certainly some of the people around him, have said explicitly that the US should adopt privacy legislation.’

Since then, there have been further signs that data privacy may come into sharper focus. On 12 May 2021, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. While cybersecurity and data protection are not the same thing, there is a close relationship between the two on a legislative level.

As Liz Benegas, general counsel of enterprise management software provider Totango comments, ‘you can have security without privacy, but you cannot have privacy without security. We all know the emphasis the US put on national security recently. Developing comprehensive framework for each is difficult and takes time, but now that our systems have been hardened, privacy should be added to the legislation list as well.’

On that list there is already the Information Transparency and Personal Data Control Act, introduced in March 2021 by Representative Suzan DelBene. While the proposed Act is not as wide-ranging as the European Union’s General Data Protection Act (GDPR) or existing Acts applying in certain US states such as the California Privacy Rights Act (CPRA) and Virginia Consumer Data Privacy Act (VCDPA) in particular – it does not contain the right to access personal information or the right to collect or delete information held by a controller – it does include a pre-emption provision, meaning that, if adopted, it would supersede state laws relating to data privacy.

This, believes Cameron Kerry, points toward a credible impetus for legislative change. ‘There is still the opportunity, interest and conditions to get it done [in the US]. A lot of good work has been done by Capitol Hill in both Houses to understand the issues. Key Republican and Democratic bills in the Senate are pretty close on these issues. A few points still need to be resolved, particularly pre-emption and private right of action, but there are some potential paths ahead.’

Speaker of the House of Representatives Nancy Pelosi has already stated that the House would oppose any federal law that does not include the same level of protection as COPRA, and it is likely that the question of the pre-emption is going to be a huge stumbling block.

However, comments Julia Reinhardt, Mozilla fellow in residence, privacy consultant, and a former German diplomat specialising in EU privacy policy, ‘the Biden administration realises how important this is for industry, for people, for consumers and for international data transfers, so I really hope that it will find ways push this project ahead.’

‘Privacy is a big horizontal topic that regulators have been working on for decades. GDPR may have a few gaps, but it was a big step ahead to have one regulation for a large, contiguous market. The EU member states each had their own privacy laws before GDPR harmonised a general law for the 27 countries.’

Hurry up and wait

While there are of course certain differences of context between the US and EU, the European experience shows that none of the problems facing federal data privacy legislation are insurmountable. Except perhaps one.

Bob Jett, head of global privacy and risk at Crawford & Company, the world’s largest independent provider of claims management to the risk management and insurance industry, believes North America is sufficiently culturally distinct to make any parallels problematic.

‘The unique difference between data privacy in North America and in Europe is that Americans and Canadians, for the most part, do not consider their personal information to be a fundamental right. Most of us are willing to give up our rights to privacy for convenience or speed.’

‘In the US, we are much more worried about cybersecurity, because of the potential impact that has on our infrastructure, our ability to use our credit cards, or to get gasoline and to travel.’

A difference in European and American cultures of litigation could also become an issue. While Europe has yet to witness a wave of GDPR-specific class actions, the long-tail of these types of cases makes its difficult to know whether that is because they do not exist or because they are currently working their way through the system. If it turns out to be the latter, it could be a big warning sign for US businesses.

‘Regulations can become litigation tools’, adds Jett. ‘This is one of the things I have been tracking, because in the US, there is a fear for class action lawsuits around this. And such lawsuits have actually started to be filed in California.’

Even supporters of a federal data privacy law concede there is more groundwork to be completed, particularly around the issue of private rights. ‘The question around the rights for individuals to bring lawsuits for privacy violations coming from companies is crucial’, notes Reinhardt.

‘The volume of cases and magnitude of fines tend to be significantly higher in the US compared to Europe, so it may be necessary to include some provision that only allows attorneys general at the state level to sue.’

While these debates play out among lawmakers, GCs will have to go about complying with an increasingly complex patchwork of laws on a state-by-state level. But deliberation among lawmakers does not mean that legal teams can or should take a patient approach to managing privacy.

‘Data protection – both the privacy and security aspects of it – is quickly becoming a risk management function rather than a technological challenge’, says Benegas. ‘Gone are the days when only the chief technology officer needed to know or care about the issues. Nowadays, all levels and functions within a company need to know and be prepared.’

‘GCs and corporate counsel will play a pivotal role in helping shape the response to this challenge, not only because risk management is part of the job description but because of the broad view legal teams have into company operations, from human resources to vendor management to customer contracts.’

Ann Cavoukian, former Information and Privacy Commissioner for the Canadian province of Ontario and originator of the concept of privacy by design, which was subsequently incorporated in GDPR, also advocates a proactive stance when it comes to data privacy in the c-suite.

‘In these times of legal limbo, I always encourage companies to get a certification. First, it builds trust and business relationships, which has been lacking for a long time. Second, it increases the quality of the information they collect.’

‘There is no inherent tension between granting privacy and exploiting economic value when it comes to data. You can capitalise on data but strip it of all personal identifiers. One of the seven foundational principles I established with my privacy by design approach is to abandon the zero-sum models, where it is either-or or win-lose. There should not be a conflict between business interest and privacy. We should be aiming to satisfy both.’

The tip of the iceberg: Data protection and cyber risk

Bob Jett, chief privacy officer at Crawford & Company notes ‘People used to joke that when a GC hears of a cyber attack or data breach they breathe a sigh of relief and say, “Thank God, that one falls to the IT team”. Today that joke wouldn’t make sense. No serious corporate legal professional thinks cyber and data risks are off their radar.’

Britton Guerrina, deputy global general counsel for technology and shared services with Deloitte Touche Tohmatsu Limited, echoes this view. ‘Cyber and data protection are increasingly important and should be top of mind for any legal team. The legal and regulatory risks in these areas have increased and continue to do so, with countries introducing increasing regulatory requirements, many of which are contradictory.’

Corporate counsel may be increasingly aware of the dangers posed to their organisations from cyber attacks, but the results to our survey of over 200 senior counsel across the US and Canada suggest their organisations take a very different view.

While 91% of legal teams were aware of their organisations’ cybersecurity efforts, only 18% said they were heavily involved in these efforts. In fact, an alarmingly high number of teams (39%) were not involved at all, while nearly two thirds (63%) were either not involved or only involved to a small extent.

Even legal teams that are involved in their organisations’ cybersecurity strategy are typically confined to a fairly narrow role. By far the most likely task falling to legal teams is ensuring the security of their own communications, data and files (84%) or providing strictly legal opinions on regulatory compliance (47%). Just under a fifth of teams (19%) reported being involved in their organisation’s wider cyber response planning, while only 7% were monitoring cyber threats across the organisation as a whole.

Businesses not involving legal teams in their cybersecurity efforts should take note: over half (53%) of the senior counsel surveyed rated their organisations’ cybersecurity defences as either poor or average. Just 13% said their organisations had excellent protection against cyber threats.

The limited involvement of legal teams when it comes to cyber security efforts is particularly puzzling given the obvious advantages lawyers would bring to the process. As Britton Guerrina notes:

‘Legal involvement is critical for various reasons, and lawyers are able to guide efforts in a wide range of areas, from helping to design the security programme to comply with privacy, employment and other local laws to advising the cybersecurity team on cyber regulatory requirements.

Legal teams can also assist with the roll out of security tools while addressing any legal impediments. They can advise which legal and regulatory requirements apply to a breach based on the facts and circumstances presented, determine whether breach notification requirements (regulatory or contractual) have been triggered, and craft notifications, interact with regulators, law enforcement, and so on. In my view, legal and cyber need to partner together, along with risk, in order to protect the organisation effectively.’

However, as Michael Shour, general counsel and secretary for Banyan Software, observes, this is likely to change as the regulatory and reputational stakes increase.

‘Legal is actually very well positioned to spearhead this area, but it is often not an area where management wants legal to focus, due to the limited resources. As class actions and cyber-related litigation increase over time, I suspect that this will continue to require an increasing amount of legal involvement.’

Plugging the leaks

Monitoring cyber risks may still be deemed a low priority for legal counsel, but the related issue of data privacy is fast becoming a key part of the legal team’s role. As one respondent, senior counsel for data and privacy at a global media and telecoms business, puts it:

‘Data protection is a growing issue, and not just because of the rise of serious and very damaging incidents which we all read about in the news. From a compliance perspective, it is the increase in country-wide and global regulations. Business has to operate as smoothly as possible, and it is our job as legal to help it do so within these regulatory boundaries.’

When asked to identify the most pressing cyber threats their organisations faced, nearly half (49%) of corporate counsel pointed to the risk of customer data being compromised. Theft of confidential business information was seen as the next most pressing risk, reported by 28% of those surveyed. As Naseem Bawa, general counsel for InteraXon, a leading maker of brainwave-controlled computing technology and applications, points out, in the digital economy data is a chief driver of value. ‘Data is part of a company’s IP and without stringent safeguards to protect and enhance its value you are leaving your doors unlocked.’

For comparison, just 2% said that direct monetary loss through theft was their organisation’s most pressing concern. While theft can be costly, it is often nowhere near as expensive as dealing with the regulators. For businesses that have yet to experience a significant data breach, comments one senior legal and compliance counsel at a large retailer, the uncertainty over consequences can be troubling.

‘The big unknown here is the way a regulators will respond. The marquee cases have been in the financial services industry, and there is some evidence that regulators will look at what a retailer is doing around data and compare it with the systems and controls that have been put in place by financial institutions. Obviously, these financial institutions have far more robust data-security arrangements in place, which is potentially something that could damage our position in any litigation.’

These risks are especially pressing, continues the respondent, in a world where customer interaction is increasingly digital.

‘Mobile payment apps and e-commerce are becoming the principal vector through which fraudsters are able to infiltrate business systems. It’s a data security issue but it’s also a cybersecurity issue that goes right to the heart of our business. That means the legal team needs to know how our IT systems work, with at least some degree of accuracy, and how those systems can sink us.’

For those unfortunate enough to suffer a breach affecting customer data, knowing how to respond is key. The advice from one general counsel at a large US medical insurer is to bare all. ‘If customer data has been compromised then you need to tell them, and you need to help them take whatever steps are needed to mitigate the risk they now face. In the first day or so after an incident everyone is scrambling around to collect as much information as possible before the company needs to report the incident, but often it will be too late for the customer if you wait a day. Bite the bullet and tell them what has taken place. And, of course, have a plan ready so you aren’t worrying about drafting the message during a firestorm. If you are facing a situation where you need to email potentially millions of customers, you will really be thankful that you planned ahead of time.’

This planning, many agreed, is among the most important steps that GCs can take. As Richard Brzakala, director of external legal services at Bank of Canada, comments, ‘The old maxim “Trust but verify” applies here. You may have best-in-class cybersecurity in place, but it needs to be tested continuously. It’s not a question of if things go wrong. They will go wrong. You will experience a cybersecurity incident or data breach eventually, so be prepared.’

Held to Ransom

On 7 May 2021, Colonial Pipeline, the largest petroleum pipeline in the US, was shut down following a cyber attack. It remained closed for five days, causing panic buying, fuel shortages and national security soul-searching. For cybersecurity experts, the most surprising element of this episode was that a key part of US infrastructure was not brought down by the actions of a hostile state (at least directly), but by a small group of cyber-criminals deploying a devastating form of online extortion software: ransomware.

After gaining access to a company or individual’s system, the attacker will make files inaccessible in some way. At the lower end of the scale, the malicious programme may simply lock the computer, an easily fixable situation for an IT professional and no great problem for a large company. But when deployed by more sophisticated attackers, the software will encrypt the victim’s files so effectively that recovering them without the decryption key is virtually impossible.

The Colonial Pipeline ransomware attack was just one of several high-profile events that have struck ostensibly secure organisations over recent months. May 2021 also saw a ransomware attack on meat processor JBS Foods, a $53bn company that is deemed vital to US food security. The attack, which led to closure of some of the company’s facilities, was reportedly ended after an $11m ransom was paid.

While the scale and severity of recent attacks has surprised many, the growing popularity of ransomware comes as no surprise to specialists in the field.

‘My first response to the upsurge in ransomware attacks lately was that we analysts have been warning about this for over a decade, and we all predicted this was going to happen’, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations.

‘Now it’s here we have another round of gnashing of teeth, but opportunities to mitigate the danger have been missed time and time again over the intervening years.’

Fortunately, even for those who may have missed the early warning signs, hope is not lost. GC speaks to some of the leading counsel and cyber experts to find out what the rise of ransomware means for business, and what lawyers can do to help prepare their defences.

The unlocked door

The rise in attacks affecting everything from water and energy utilities to fuel distribution systems is a sign of things to come. From a cybersecurity perspective, the truly frightening aspect of these attacks is that, once systems have been compromised, there is little IT professionals can do to regain control. Bhavani Thuraisingham, Founders Chair Professor of Computer Science and the Executive Director of the Cyber Security Institute at The University of Texas at Dallas, comments:

‘When the malware enters the system, it has access to almost everything, and in a ransomware attack [hackers] will encrypt everything and demand a payment in exchange for the key to unlock the files. As of today, AES 256 encryption cannot realistically be broken with modern computing methods. Unfortunately, this means that if the attack progresses to this stage, you have really no access to anything in the system unless you get the key to decrypt the data’.

Richard Forno, senior lecturer in the University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering, puts it even more succinctly: ‘If you haven’t been conducting cybersecurity best practices and a sophisticated attack takes hold of your systems, you’re screwed’.

As a result, victims of high-profile ransomware attacks have been left with little option but to pay up. In the case of Colonial Pipeline, hackers demanded a ransom payment of $4.4m in the form of bitcoin, which they promptly received in exchange for codes to unlock the company’s systems.

More troublingly, the lines of attack hackers are exploiting are not easy to defend against. For example, phishing attacks in which members of staff are fooled into downloading malicious software by seemingly genuine emails are becoming increasingly effective. This, says Forno, is increasingly dangerous given the rise of social media as a means of validating an unknown person’s identity.

‘Using artificial intelligence and machine learning, you can identify, develop and even create fake personas that are very detailed. This can allow you to make a phishing email that is much more convincing to the target, particularly if
you’re targeting a particular individual, such as the CEO of a company.

What’s more, even those who follow every reasonable security protocol and measure can, unwittingly, become a victim of the more sophisticated hacks. Increasingly, [malicious] software is being downloaded through perfectly legitimate websites via ad networks. [If a hacker] is able to compromise a content or software distribution network, malware could be injected into this such that users of a legitimate website would then be downloading malware through the network.’

React and respond – preparing for times of crisis

As the realities of new digital attack vectors and how to respond to them become increasingly evident for major corporates and their counsel, leading private practice practitioners from the WSG network share their insights and advice to help businesses prepare for the worst.

‘Ransom attacks, including larger supply chain-type attacks, continue to lead the headlines and pose a sophisticated threat to a business’s ability to operate or recover, now more than ever,’ says Batya Forsyth, partner at Hanson Bridgett and co-leader of the firm’s privacy, cybersecurity and information governance practice.

With cyberattacks increasing in frequency, severity and variety, the need for general counsel and their teams to be prepared to react and respond accordingly has fast become a business imperative, irrespective of company size or sector.

‘A response plan should set the expectations high for the organisation,’ says John Babione, a partner at Dinsmore & Shohl LLP.
‘Responding effectively to security incidents and potential data breaches should be emphasised as critical to the success, and in some cases survival, of the organisation.’

Exactly what a response plan looks like will be different for every organisation, with individual risk factors and tolerances both likely to heavily influence the final plan and procedures. However, the experts we spoke to agree on several common elements that featured in successful response plans.

‘A good security response plan sets forth a process that is easy to understand at all team levels – from general staff to general counsel – and functions well across a variety of attack scenarios,’ says Forsyth.

‘Most importantly, the plan must explain how the plan gets triggered, who makes that decision, who needs to know about that decision and the first next step for the team.’

Getting buy-in from the wider organisation and ensuring that everyone understands their individual roles in times of crisis were also seen as essential parts of successfully managing a response, with time often a critical but limited commodity in any attack scenario.
‘The plan should enlist all affected personnel as partners in a team effort in which everyone knows their daily efforts and diligence on the front line are valuable and needed,’ says Babione.

This engagement though, shouldn’t be limited to times of crisis says Babione, who instead advocates for an always-on approach to monitoring for threats and being prepared to respond – an approach that emphasises mitigation as much as it does preparedness.

‘To do this, the day-to-day IT environment, applications and tools must support and encourage employees to be watchdogs, looking for trouble and reporting it up the chain of command,’ he explains.

‘This engagement of the workforce and management as the hands and feet of the response plan turn the plan from a piece of paper into what it needs to be – the means by which the organisation can respond quickly to incidents to prevent them from turning into a data breach or other harmful cyberattack.’

This type of attack, say the cybersecurity experts interviewed for this report, has already been detected on some of the world’s largest website, often with little or no awareness among their users.

Adds Thuraisingham: ‘Ransomware spares no one. It could attack an 80-year-old great grandmother, a major financial company or even critical infrastructure. With that said, the more pain the attacker causes, the more publicity they get and the more money they can extort; sectors that allow them to cause maximum damage may therefore be more vulnerable. These will include major hospitals, government organisations and, especially, financial companies.’

Of course, cyber experts are aware that ransomware attacks are now big news, and that reporting biases undoubtedly skew toward them. Even so, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations, the underlying reality is that such incidents are on the rise. In fact, says Fidler, the true extent of the problem has probably been under-reported.

‘There has been an increase in ransomware attacks, and that increase has been felt across the entire corporate sector in North America and beyond. Beyond this, there is a large number of institutions – typically hospitals or
other bodies that hold large volumes of data – that have been victims of ransomware attacks without the public or media ever becoming aware of it. So the problem is growing and the scale of the problem is perhaps larger than one would imagine.’

The GCs who came in from the cold

From the perspective of the US government, ransomware is a clear and present danger. The increase in the size, sophistication and public awareness of these attacks, as well as their ability to damage critical infrastructure, puts general counsel on the fault line of what, for some organisations, will be the most important challenge of the coming months.

‘The connection between criminal ransomware attacks and how the United States government perceives our adversaries as providing havens for cyber criminals is key’, says Fiddler.

The government has already accused Russia and China of tacitly allowing cyber criminals targeting US companies to operate free of constraints. We’re seeing movement toward more offensive actions on the part of the US government aimed at cyber-criminal organisations based in potentially hostile territories because, clearly, our defences are not effective in preventing these attacks.

If the government does move in that direction, that is a much more dangerous context for businesses to be in, because we do not know cyber-criminal groups are going to respond. They could become even more sophisticated and try to test how much further we’re willing to escalate’.

The thought that corporations might unwittingly get caught in this cat-and-mouse game of testing and defending critical infrastructure is no longer an abstract item on the risk agenda. Even smaller companies that are not deemed essential parts of the US economy now face the prospect of becoming collateral damage in the tit-for-tat exchanges brought on by the escalation of opportunities for cyber attacks and the escalation of deterrence by punishment.

‘For GCs, understanding the potential threat is key’, adds Fidler. ‘Understanding what the threats are from this potential escalation on the part of the government may help persuade the C-suite of the need to make more investments in their own cyber defence.’

Of course, only a minority of companies will fall victim to the most serious of incidents, but indirectly almost every single organisation will end up paying the price, whether through increased demands on security and compliance or changes to their relationships with customers and commercial partners.

Insurance has long been one of the major tools used by corporates to mitigate their exposure to cyber risk, but as the number of cyber-related insurance pay-outs topping seven figures grows, policies are being hastily rewritten.

‘[Last year] was an unprecedented year for ransomware attacks and the payment of related insurance claims’, notes Lavonne Hopkins, senior managing legal director for security, resilience and digital at Dell. ‘As a result, the cybersecurity insurance market is hardening as insurers revaluate how to keep their cyber insurance offers profitable.

I have observed that insurers are focusing more on evaluating organisational cybersecurity maturity and preparedness when making coverage decisions and determining premiums and deductibles. We can only expect this trend to increase. Organisations should start to prepare for a future that potentially excludes ransomware coverage from cyber liability policies and requires self-insurance models.’

A worrying thought. And even those who can find suitable policies should not be complacent against the threat, says Thuraisingham.

‘Certain insurers are now offering specific products that cover the threat of ransomware attacks but relying on this can be extremely risky. To activate the coverage a company must first lose its data in a ransomware attack; only then will the insurer release funds to pay the ransom.

This is obviously not ideal, as the protection offered does not typically compensate for the reputational damage or staff costs associated with the incident. I would advise taking all the preventive measures you can before relying on insurance.’

The price of this sort of ‘kidnap insurance’ coverage is also likely to increase markedly as insurers keep a watchful eye on cybersecurity developments. A report issued recently by Hiscox, an Anglo-Bermudan insurance provider that specialises in niche categories of risk, noted insurers faced a 50% year-on-year increase in pay-outs for cyber-related policies, with ransomware attacks accounting for the biggest contributor to this growth.

Outsmarting the hackers

Even the most generous insurance policy can only be triggered once a cyber attack has taken place, by which time financial compensation alone may not be enough to repair the damage. For general counsel, the only real way to defend against risk is to go on the attack.

David Mace Roberts, general counsel of transport information systems provider Electronic Transaction Consultants (ETC), has been working to keep one step ahead of cyber attackers for many years. For Roberts, the most notable feature of a good cyber risk plan is that it looks unlike anything else on the market.

‘A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry.

Thuraisingham echoes Roberts’ comments. ‘Just as with health concerns, the best method is prevention. Protect all your systems, data and processes so that the attackers cannot gain access in the first place. Perhaps most important, companies that do not mandate backups and do not have extremely stringent security policies are most in danger. Do continuous backups of data and processes. I cannot emphasise proper backup procedures enough’.

Indeed, as Richard Forno notes, none of these measures are difficult to implement, but business has tended to ignore expert advice for too long.

‘The problem I see is that a lot of companies and governments of all sizes fail to do basic cybersecurity best practices, things that we in the industry and academia have been urging people to do for 20, 30, 40 years. This can be things as simple as having a really strong password or using multiple forms of authentication for critical or sensitive systems’.

The most important aspect of effective defence against a ransomware attack, however, comes with employee training. Human error is overwhelmingly likely to be the biggest weakness in a cybersecurity defence package, as well as the first thing a criminal group will look to exploit. To guard against this, says Roberts, the only option is to train relentlessly, ‘If you only train once a year then training loses its impact and offers minimal protection.’

Lavonne Hopkins of Dell agrees. ‘Unfortunately, ransomware most frequently originates from human error, and over half of ransomware victims suffer repeat attacks. Training and education are critical to ensure a comprehensive cyber preparedness strategy and prevent these ransomware attacks. Organisations should mandate cybersecurity training, including phishing training, for all employees and contractor. Employees are the first line of defence and need to be equipped with the knowledge to help prevent an attack’.

Before any of the above can take place, senior management needs to take the risk to business from cyber attack seriously. As Thuraisingham notes, it is all too common to encounter business leaders who consider cyber strategy as a matter for IT professionals.

‘When you’ve hired the best risk analysts and cyber teams money can buy it is very easy to conclude that you’ve done everything you can. This is fundamentally wrong. Businesses will always be vulnerable to these attacks, so there needs to be a constant awareness of just how serious the consequences can be.’

Unfortunately, awareness of cyber risk as among the c-suite seems to remain limited. Our survey of over 200 general and corporate counsel in North America revealed that while legal teams felt there was a very high risk of cybersecurity breaches to their organisations, fewer than half were actively involved in shaping cybersecurity risk planning.

For many organisations, it may come back to haunt them. As Roberts concludes, ‘If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. Do you want this on the front page of the Wall Street Journal or the Washington Post? Do you want to have to answer to the boards, or to the securities regulators? If not, then taking the risk seriously now is the best defence.’

The red pill: How legal teams are embracing the freedom to be replaced

In 1954, The Westinghouse Electric Corporation unveiled the world’s first colour TV. With a price-tag of $1,295 – or nearly $20,000 in today’s money – the H840CK15 was the type of luxury purchase that stood as a solid signifier of economic success.

‘I grew up in a world where lawyers were among the few middle-class professionals who could afford the latest technology’, comments one senior lawyer at a large multinational bank.

‘Now, we are among the few middle-class professionals that ignore technology. It’s a strange thing that so many lawyers have chosen to overlook the transformative power tech has had on the world of work, and I am part of a growing number of in-house professionals that seeks to address the oversight.’

To rephrase the problem – well-known in economics – why does the cost of technology consistently fall relative to the rate of inflation while the cost of services, encompassing everything from healthcare to education continues to rise?

The answer, in short, is that machines cannot (yet) do what humans do. What machines can do, however, are the things humans do not want to do. From this perspective, technology is not a threat but an opportunity. It allows lawyers to move higher up the value chain. And, let’s be honest, no one wants to be stuck doing low-level work.

‘Lawyers are afraid of technology taking their jobs’, comments Lisa Marcuzzi, general counsel and country counsel for ArcelorMittal Dofasco in Canada. ‘But I don’t know of a single lawyer that feels unhappy that they will have to give up reviewing NDAs or sales agreements. As far as I can see, technology will free lawyers to do the jobs they trained for.’

The wider in-house legal community in the US and Canada clearly agrees. While 90% of respondents felt that technology had disrupted the legal profession over the last five years, and nearly all (97%) felt it would do so over the next five years, over three quarters (76%) said this disruption was a positive outcome for the legal profession.

Far from fearing tech, in-house lawyers are waking up to the freedom it can grant them – 87% of those we surveyed said their wider teams were receptive to the use of technology, while 78% said their businesses were supportive of finding new ways to work.

This widespread optimism, many respondents pointed out, was based on direct experience of available technologies. ‘I spent many years reviewing and negotiating documents that were up to 100 pages long’, commented one general counsel in the finance sector. ‘Typically, 90% of that document would either be boilerplate or unnecessary. If I add up the time I have spent reviewing superfluous material and account for cost then it comes to a shocking level of waste.’

In short, corporate counsel are looking forward to the freedom tech will grant them, and few fear their jobs are at risk. As one respondent commented, ‘The idea that lawyers will be replaced is just not realistic. Imagine a Fortune 500 company dismissing its legal team and saying, “we’ll just rely on technology to do all this stuff.” It won’t happen – it would be insane.’

What will happen is a continuation of the trends that have been in play for several years. The in-house legal team will move closer to the time-critical or economically important aspects of the business, law firms will be brought in to help with the types of matters where it just doesn’t make economic sense to employ a team of internal specialists, and technology will be used to remove a lot of the work that was never strictly legal work in the first place.

Eleanor Lacey, head of legal and general counsel for work management platform Asana, comments: ‘In the knowledge sector, tech never works by replacing people. It works by augmenting people and freeing them up to work on higher-value matters.’

‘There is a great sense of freedom now that we as corporate legal teams can really solve a lot of the problems we have seen time and again by introducing often inexpensive tech fixes. It’s a great time to be working in the legal industry. Anyone who says otherwise is just not seeing the big picture.’

Moving up the value curve

What are the grounds for this optimism?

Let’s take the single most important item an in-house lawyer deals with – the contract. Lawyers deal with contracts. Lots of contracts. So too do their employers. As Chris Young, general counsel for digital contracting platform Ironclad, puts it, ‘At a basic level, all lawyers are contracts lawyers and all the businesses they serve are contracts businesses. It’s the most fundamental unit that commerce is based on.’

In this contract-driven world, the central hub for contract review runs through the legal department. When a business grows, how does its legal department choose to scale? Does it add bodies, or does it use technology to scale up and meet demand?

For the last several decades, the answer to that question would have been the former. General counsel had one demand above all else: more staff. As our survey of legal teams in the US and Canada shows, attitudes are changing, and the answer is increasingly likely to be “new ways of working”.

Central to the evolving skillset of the in-house counsel is getting comfortable with communication. Those we surveyed were clear: documentation can be automated, and any lawyer who is essentially reading a document aloud can be replaced at will. But that, many feel, is a good thing. The rise of legal tech means the in-house team can finally sound like the rest of the company.

‘We don’t need to tell business, “The documents say this”’, comments one respondent, senior counsel at a large US medical services provider. ‘Any literate person can see what the documents say. We’re guardians of nothing but the obvious if we tell them what they can read for themselves.

‘That’s great – being freed from routine tasks is not a case of lawyers being replaced. It’s a case of lawyers being able to use their skills for the benefit of business. We should embrace it. Lawyers have been trained to do some very sophisticated work, but large parts of the contracting process are not that work. If we can relegate that to a system or use technology to complete it then we are going to have a lot more time to do the work that is expected of business leaders. The days of pushing paper around may finally be over.’

Schrödinger’s Tech: Opening the box on law firms’ use of technology

Chris Young, general counsel for digital contracting platform Ironclad notes that ‘In-house teams used to ask their law firms about technology. Now it’s the reverse. GCs are encouraging their firms to adopt technology, and firms are hearing about the most useful software and tools from their customers.’

For many firms, this will come as unpleasant news. But there is an upside. As Young points out, ‘In-house lawyers will always need law firms, and the industry won’t be transformed by one side alone. The more forward-thinking law firms should see this moment of change as an opportunity to gain a competitive advantage and become a true strategic partner to their clients.’

Judging by the results of our survey, it is an opportunity many have failed to grasp. Under half (45%) of the more than 200 senior counsel we polled for this report said their firms were using technology to deliver legal services and solutions, while a similar number (41%) were unsure how their external firms were resourcing matters.

As one respondent noted, ‘Knowing what goes on at a lot of firms is a game of Schrödinger’s Cat. They may be using some pretty sophisticated software to bulk process our matters, but they are unlikely to tell us about it unless we push them.’

This lack of transparency was widely cited as a source of frustration. Indeed, nearly three quarters (74%) of those we spoke to said they were not satisfied with their firms when it came to technology.

Law firms should take note: 88% of legal teams said it was important that their law firms kept up with developments in technology, with 32% saying it was crucial for them to do so.

We should not place the blame entirely on law firms here. In-house lawyers may complain that their firms behind the curve, but fewer than half (44%) are asking about their external advisers’ use of technology when undertaking
panel reviews.

With so many GCs either unsure of or dissatisfied with their firms’ use of technology, it is no surprise to see that few are looking to them as a source of inspiration. Just over a third of respondents (38%) said they now looked to their firms for guidance when it came to finding or implementing legal technologies, while under a quarter (23%) reported having been advised by their firms on the use of specialist legal technology. Only 21% of respondents said their firms had offered to share technology with them.

This, for some GCs, has been a dealbreaker. ‘One of the factors that motivated me to change firms was the lack of use of technology by my old external firm’, comments the general counsel of a large commodities business.

Of course, the technology used by law firms is often very different to the technology needed by corporate legal teams. Firms tend to operate in scales and volumes that are far beyond the requirements of their clients, making tech transfer a far from simple matter.

Even so, it may trouble those in private practice to know that legal teams are beginning to look for solutions elsewhere. Almost half (47%) of those surveyed said use of technology within the legal team had already impacted their relationships with external firms.

The good news? Law firms that take a proactive approach are winning clients. As Michael Shour, general counsel and secretary of Banyan Software, concludes:

‘If a firm is wise to the implementation of appropriate technology solutions, it can allow them to complete tasks more efficiently and cost-effectively. When I see a firm doing things like this, I can’t help but appreciate that they are driving efficiently for their clients and am impressed that they are on top of things – and that can only be a good thing for business.’

Risk, Litigation and GC Evolution Report 2021

Following on from our highly informative Risk and Litigation Report 2019, GC has partnered with Freeths once more to gather the opinions of over 100 general and senior counsel across the UK and Europe, to see how their approach to risk and litigation management has changed over a period that has tested even the most accomplished legal leaders. While undoubtedly a challenge, the Covid-19 pandemic also gave in-house counsel the chance to show their businesses just how useful they can be in a crisis; we also took the opportunity to examine how true this was, and how far the general counsel role has grown over recent months in response. Finally, our survey asked how legal teams felt they dealt with the lockdowns and subsequent shift to remote working.

Download and read the report offline.

James Hartley

This partnership project with GC magazine is a valuable opportunity for Freeths to engage with senior in-house legal colleagues and to pool the latest thinking on how best to create value, in the face of ever increasing litigation and regulatory risks.

We’re fascinated to see this survey data, which aligns with what we’re seeing through our risk advisory work. We see more businesses focusing on preparing for unforeseen, high impact, strategic risks, which have the potential to materially disrupt the business. On the positive side, this data also highlights an increasing awareness that the more sophisticated approaches to legal risk management are starting to emerge as factors which have the potential to enhance business value and give a competitive edge. Undoubtedly, the pandemic and Brexit have played their part in this heightened risk awareness.

There are plenty of theories on how GCs can convert risk into opportunity and create value for the business – but how are GCs actually achieving these things in the real, commercial world?

This survey data, webinar, and the roundtable discussions that will follow, should give us all a fascinating insight into how successful GCs are in achieving results, despite the risks and pressures.

Working with GCs to convert that insight into proactive risk management strategies is something we excel at here at Freeths.

James Hartley, Partner and National Head of Dispute Resolution

(Hartley is recognised as a leading individual by The Legal 500 in the fields of commercial litigation and dispute resolution. He uses his litigation experience to help clients undertake and implement complex risk management strategies, most notably in the recent successful claim against the Post Office.)

Download the report

Risk & Litigation Management

Risk and litigation management has become an essential skill for GCs. Boards are increasingly focused on preempting and minimising disputes and, as one respondent put it, ‘the responsible management of regulatory and compliance risks is a genuine competitive advantage that our management is acutely aware of’. Given the fact that the business landscape has changed so radically since the previous report, and that management varies across firms in different jurisdictions, GC took a fresh look at how general counsel now tend to deal with risk and litigation.

Our survey demonstrates just how important risk and litigation management strategies have become to corporate legal teams; all respondents said litigation risks and transactional risks, including contracts and projects, were part of their overall responsibilities. But the legal support they provide does not extend into other business areas, and GCs are not always aligned with their boards when it comes to the definition of risk. While only a third of respondents said that environment, social and governance (ESG) and corporate social responsibility (CSR) were part of their main responsibilities, all agreed that these areas are increasingly important business value metrics with an associated risk profile that in-house counsel are well-placed to manage.

Have the remarkable circumstances of the past 18 months given the impetus needed for a radical shake-up of how GCs are approaching their risk and litigation management, or is it business as usual? Based on the results of our survey, the latter is a more accurate statement; 60% of respondents stated that the events of the pandemic have not changed the order in which they prioritise the risks to the business. Of the remaining 40%, quite a number said their risk and litigation management has led to rigorous cost/benefit analysis in order to keep costs low; for example, one GC stated that the ‘challenging economic period requires us to now analyse, in detail, every single opportunity to save money’. Others pointed to changes such as placing greater emphasis on risks related to the pandemic, for instance prioritising the well-being of customers and colleagues.

While in-house legal departments are happy to manage risk internally, and in the main feel competent to do so, almost half of the respondents said they would benefit from external law firms providing more sophisticated and bespoke litigation risk advisory services as well as, if it was offered, dedicated financial cost/benefit analysis. For legal services providers who take pride in their risk advisory services, this may indicate an opportunity.

It also suggests that respondents are aware that improvements can be made in their corporate risk management, and the survey offers some insight into where these improvements can be made. 28% of respondents stated that they are reactive rather than proactive in terms of their risk management, while others were concerned that the many moving parts of their organisations are not working as one; 16% reported their risk management response to be wholly un-holistic in its approach.

Freeths Comment

‘We’re certainly seeing within our Dispute Advisory practice a growing awareness among corporates that decisions around litigation and regulatory situations need to be viewed as investment decisions – requiring cost/benefit analysis, and outcome scenario planning, that can be presented clearly and decisively to boards’. – James Hartley, Head of Dispute Resolution, Freeths

Creating Value

General counsel are now more likely than ever before to view their risk and litigation work in business terms and are expert at explaining this to other stakeholders within the business. As one GC eloquently put it, ‘Taking a sensible approach to risk, and having a mitigation strategy, enables the business to also take on appropriate risk, which can generate returns. All businesses take on a degree of risk and the key is finding the right balance to optimise these opportunities in order to not lose out to competitors’.

Other GCs agreed, with many focusing on how the ability to assess the merits and demerits of a case in its early stages allows for a cheaper resolution. As another GC stated, ‘from a cost perspective, gaining an early view of potential risks allows commercial decisions to be made well before expenses are incurred’. Others mentioned that being able to predict – somewhat – the cost that a case might incur as being a major boon to business-legal team relations, as the corporate side often appreciate being given a ball-park figure to be able to base their strategy around. Others still mentioned the importance of being able to avoid adverse consequences like claims and fines, and how effective mitigation efforts can also improve their company’s knowledge of the legal landscape and contribute to the good reputation of the company.

We asked respondents to score four metrics out of ten for how far they allowed them to demonstrate positive contribution to the growth and value of their business: enhancing the legal and regulatory risk profile of the business; horizon-scanning to predict and neutralise legal and regulatory risks to growth and profitability; quantifiable financial savings achieved through proactive, decisive and strategic resolution of issues and obstacles; and generating cash through the monetisation of meritorious claims or litigation by deploying external litigation funding solutions. This, also, demonstrates that general counsel still see their main contribution to the business’ bottom line to be as cost-avoiders rather than revenue-makers themselves. ‘Generating cash through the monetisation of meritorious claims or litigation by deploying external litigation funding solutions’ achieved far and away the lowest average score out of ten: 3.3. The other options, ‘legal and regulatory risk profile enhancement’, ‘horizon-scanning’ and ‘proactive, decisive and strategic resolution of issues’ received generally high average scores; 7.9, 7.3 and 7.1 respectively.

So much for the theoretical side, but how have in-house counsel actually been performing when it comes to avoiding risks before they develop? On the evidence of GC’s survey, one positive conclusion that can be made is that the in-house teams that have managed risk in a conscientious and responsible way over the last 18 months have been noticed and supported by their companies; more than half of respondents said that the pandemic has not impacted how adequately resourced their teams are. In a similar vein, 62% of respondents have not considered financing options to improve their litigation and regulatory risk management.

From Risk to Opportunity

Sixteen months after the order to work from home where possible, many of us have forgotten just how profound a shift in working practices it has been. But it is worth considering whether the changing approach to risk management within legal teams is part of a broader ‘post-pandemic’ shift in the way businesses are looking to safeguard long term stability. Intuitively, it seems that general counsel, given their risk management expertise and the analytical skills given to them by their legal training, could have been seen as ideal personnel to lean on for companies under the circumstances. The data appears to bear this out; almost half of respondents stated their greatest challenge of the past 12 months was increased responsibility, while only 15% answered that their role has not appreciably changed. This trend remained approximately the same across legal teams of vastly different sizes, indicating that general counsel at companies of all sizes have been relied on to fight fires for their companies in their hours of need. That they have been fighting fires is evidenced in the report as well; roughly four fifths of respondents reported they have been involved in litigation or regulatory activity over the past year.

But how exactly have in-house counsel seen their risk management and prevention responsibilities grow over the past year? A shade under half of those surveyed noted the greatest change in their responsibilities as an increased emphasis on unforeseeable or unpredictable risks; undoubtedly the Covid pandemic has shaken the business world into taking such threats more seriously. Interestingly ‘increased time with the board or taking on a board position’ was the second most popular way in which respondents have seen their responsibilities increase. Clearly, a significant minority of in-house counsel have raised their profile within their companies who have trusted them to safeguard them in a difficult business environment.

Those that weren’t afforded this increased level of face-to-face time with the board probably feel as though they should have been. An overwhelming majority of respondents, 93%, believe they work best as a combination businessperson and lawyer rather than as a lawyer first and foremost. With that said, most benefit from something of a separation of power with the board; 57% believe they work better as an independent advisor at arms-length rather than a fully-fledged member of the board.

Freeths Comment

‘In my experience, lawyers who are seen by boards as those who “grasp the nettle” in difficult litigation and regulatory situations, and who shape a strategy so as to gain some control, are the ones who are seen as highly valuable in the business – this applies to both internal and external legal teams’. – James Hartley, Head of Dispute Resolution, Freeths

Lessons Learned

The Covid-19 pandemic was an unprecedented business challenge that came at a time when uncertainty already gripped a UK business scene which was trying to get its head around the ramifications of leaving the European Union. That these should have changed the way in-house counsel operate seems elementary, but what have they meant in terms of how much legal work is outsourced vs kept in-house? Legal providers can take heart from the fact that results were even; half of respondents to GC said they would send a greater proportion of their legal work externally while the remainder said they would grow their in-house team in response. There is an interesting caveat to this, though; larger companies are far more likely to be relying on their in-house teams going forward. Of respondents with the largest in-house legal teams comprising over 25 members, two thirds reported they will be growing their in-house legal team as opposed to sending more work to firms. The thinking behind this tends to be based on cost. As one respondent put it, ‘While decisions will always be taken depending on work type, carrying out more work in-house generally tends to be more cost effective’.

Away from the nuts and bolts of specifically legal concerns, the day-to-day life of the average general counsel has changed markedly over the course of the pandemic and subsequent lockdowns. For most, the greatest change of all has been the need to work remotely for long periods. While there are perks to working from home, for example a decrease in commuting, greater flexibility and a better work and life balance, it does come with issues. The lack of face-to-face conversations and the drop in productivity some feel comes with not being supervised are perhaps chief among these. How do in-house lawyers feel the move to remote working has been, then? As it turns out, only roughly one in ten respondents reported a decrease in productivity when working away from the office. While this tenth of respondents may be facing obstacles in home working, such as an increase in distractions or lacking a good working environment, this does seem to be a resounding endorsement for remote working. Working from home does not appear to be hindering productivity noticeably, which more than explains why some employers are looking at making this a permanent change in the future.

The Covid pandemic and subsequent lockdowns were – hopefully – a once-in-a-lifetime business challenge that caught the vast majority of general counsel off-guard. How does the average general counsel feel they met the challenge? To find out, GC’s survey also asked the million-dollar question: would they have done anything differently about their strategy during the lockdown period if they were able to have the time over? Several responses focused on measures such as moving earlier, acting more proactively and being more conscious of how the pandemic would impact the demands of work. For example, as one GC put it, ‘[we would have] sped up getting the technology in place to permit home working at the beginning of the crisis’. Likewise, another stated ‘Planning for negotiating agreements with landlords on rent levels and review of office use’. In the main, though, respondents were pleased with how they handled the situation, and proud of how their teams rose to the challenge. ‘We identified the seriousness of the problem early’, recalls one GC, ‘and sent our employees into home working before companies were asked to do so by government. We even saw a boost in productivity soon after home working, and, now, we’re ready for the return to the office’.

Freeths Comment

‘Recalibrating resilience plans in light of the events over the last two years is now high on the corporate agenda, with more focus now on identifying and evaluating major shocks – including litigation and regulation – which might disrupt strategic objectives.’ – James Hartley, Head of Dispute Resolution, Freeths

LExOpensource: practical solutions for GCs by GCs

It is no secret, this year has been particularly challenging for general counsel the world round. Economic instability coupled with lockdowns and movement restrictions have hampered businesses, slowed trade, impacted production, and disrupted supply chains.

The Legal 500 in partnership with LEx360, is proud to announce “LExOpensource: practical solutions for GCs by GCs”, a series of interactive workshops that will equip general counsel and the teams they manage with the skills to confidently take on challenges within a post-pandemic world.

During times of uncertainty, corporate boards and management teams rely on their legal departments for guidance. GCs are expected to not only be legal advisors but also strategic business partners to the companies they guide. Over six sessions we will focus on the business of law from a thought leadership perspective.

We will evaluate key topics such as:

  • strategic planning
  • financial management
  • vendor management
  • data analysis
  • technology procurement and implementation

No subject is out of bounds as all in attendance will adhere to Chatham House rules. Our first session will cover ‘The right people, doing the right work.’ GCs today bring more to the table than just their legal expertise and knowing how to delegate and manage a team is pivotal to meeting business goals.

If you are a GC or part of a corporate in-house team, you cannot afford not to be part of the discussion. “LExOpensource: practical solutions for GCs by GCs” provides the exclusive opportunity for you to connect with other leading in-house professionals in a safe and interactive environment.

Become part of the discussion, by registering to our workshop here.

Moving the needle on progress

In no uncertain terms, 2020 has truly been a year of reckoning for the US: Donald Trump is vying for a second term in the White House. Tragic killings of black civilians at the hands of white law enforcement provoke widespread outrage and demands to ‘defund the police’. A deadly global pandemic is ruining lives and upending the economy, and the President suggests intravenous disinfectant may be the cure.

As the year’s events exceed even the sharpest satire, and with the country at its most divided in living memory, to the average onlooker it may appear impossible to envision anyone making inroads to promote tolerance, mutual respect, diversity or inclusion. On the contrary, such widespread discontent has compelled individuals and companies alike to double down on their commitment to equality, take pause to examine their attitudes to race, to gender, and to any traditionally ‘othered’ group in society, and ultimately to take bold and meaningful actions to combat injustice.

The legal industry has been no exception to this call for action, as diversity and inclusion has shifted from a mere extra-curricular endeavour to an unquestionable expectation from colleagues, business leaders, and clients alike. As the last few years have seen the juncture of corporate strategy and social justice go mainstream, is corporate America entering a new era of social consciousness that is meaningful beyond profit and loss? And, if so, how are legal departments playing their part and taking action?

In a series of exclusive interviews, the legal thought-leaders spearheading D&I in the US speak to GC about the new initiatives shaking up the industry, the value of a diverse team, and how minority GCs who’ve paved the way are inspiring the diverse talent of today.

“If everyone is moving forward together, then success takes care of itself.” The timeless words of Henry Ford ring as true today as they did a century ago, a timely reminder that progress is a necessarily collective endeavour.
Indeed, collaboration is the modus operandi of Diversity Lab, the undisputed stalwart and main facilitator of D&I initiatives in the US legal field. As its name suggests, Diversity Lab takes a science-based approach to monitoring and enhancing D&I through the use of metrics, behavioural data, and design-thinking. New initiatives are formulated in ‘hackathons’, with the best ideas then piloted in law firms and legal departments across the country. In the US, D&I has not been approached in such an analytic fashion before; it is this cutting-edge strategy, coupled with a culture of teamwork and collective success, that has law firms and in-house departments flocking to work with the group.

Through a roster of joint initiatives and partnerships, Diversity Lab’s programmes cut across conventional competitive boundaries, ensuring that no matter what path aspiring lawyers take, they will be supported, encouraged, and accepted throughout. Drawing on the success of programmes like the Mansfield Rule (now available to in-house departments from last Summer) and the On-Ramp Fellowship, Move The Needle is Diversity Lab’s latest project.

“It’s our pull-all-the levers, let’s-see-if-we-can-really-make-a-change programme,” says Leila Hock, Diversity Lab’s director of legal department partnerships. “The idea for Move The Needle came about when we were all talking about every struggle that a diverse lawyer has, starting from law school up until maybe they’re managing partner – what are all the struggles and feelings they’re going through? We can’t solve this problem by focusing on one part of the career path or pipeline; they really all work together.”
Hoping to drive progress across the career spectrum, five of the country’s top law firms have invested $5 million to fund experimental approaches to D&I over the next five years. MTN’s 28 founding general counsel will also work with these firms, while also piloting these new initiatives within their own legal departments and with external counsel.

“We found five brave, trailblazing firms that were willing to work with us to pull all the levers across different areas, look at their practice groups individually, and see what, from a talent perspective, each group needed to retain and attract diverse lawyers,” explains Hock. “We’re working very closely with them to implement all of our pilots. They’re our ‘lab’ right now to test a lot of our new initiatives, report back and see how they work and make adjustments. Our strong hope is that much of what we implement with them will work and help them achieve their goals, and we’ll then be able to disseminate them more broadly into the legal market.”

Many hands make D&I work

For many of MTN’s founding GCs, the biggest draw is its uniquely experimental nature which fosters innovation in a way that many firms or in-house departments couldn’t – or wouldn’t – do alone, especially when it comes to financing. “One of the things that attracted me to Move The Needle is that it focuses on the relationship between the client – being me, the in-house lawyer – and the law firm. I think that’s a tremendous area of opportunity,” says Laura Quatela, Senior VP and CLO at Lenovo and MTN founding GC. “I’m sure some ideas will work, others will be utter failures, but the law firms, to their everlasting credit, have committed big bucks to fund this experimentation over the next several years. That’s really what was needed, because we have tight budgets, law firms have profitability targets, so I think the funding was necessary and will hopefully help us, in fact, move the needle.”

Hock agrees: “My guess is the talent leads or D&I leads within Move The Needle firms feel like they have a lot more leeway to do their job. Not only do they have the money that they’ve committed, they also have us at Diversity Lab and the entire team helping them achieve their goals, but they also have each other. One of the big pillars of the Move The Needle fund is collaboration in a way that collaboration in the legal industry hasn’t happened before, which is across firms. They’re talking and brainstorming with, technically, their competitors, and I think we’re seeing a lot of growth and learning from that, for sure.”

So, with the knowledgeable support of Diversity Lab, the backing of legal leaders at firms and in-house, and a much-needed cash injection, what has MTN been able to achieve so far? “We’re at the point now where we’re whittling down the ideas to some initiatives that we all want to line up behind,” explains Quatela. “One of the things we’ve talked about doing is a combined law firm/in-house summer programme, where interns or clerks have the opportunity to experience both early in their training. They can start to make the important decisions, like, where do I really want to end up? Which of these backdrops will cater to my own personal objectives?

“Through MTN, I’m personally trying to focus on the ‘off-ramp’. Both law firms and in-house experience this off-ramp of particularly women and underrepresented minorities who, when they get to year five or six, when they could really start to be positioned for leadership, and they leave. Why is that? It happens with such regularity in the legal profession. What are we not doing for these folks? Part of it, I think, is belonging, creating an inclusive culture, but what else is there? How can we incentivise people to stay off the exit ramp? For me, Move The Needle will give us an opportunity to try some things in that regard, that will hopefully make a difference.”

Another way MTN has sought to enhance progression opportunities for diverse attorneys is through piloting a mentoring programme between high-potential associates and GCs. “We’re mentoring them to understand what works well in a pitch, what doesn’t work well, how can we get more engaged on certain matters, inviting them to meet with my direct reports so we can talk about the issues that we face, and whether or not there are opportunities for that person’s firm to get engaged,” explains Rishi Varma, founding GC from HP Enterprise. “It starts creating a connection that results in an engagement, and results in origination credit. That diverse attorney at that law firm is then viewed as somebody who will carry that client forward, and hopefully as they become a partner, a senior partner, a managing partner, they carry that forward. We think about metrics from a diversity perspective, but it’s important to recognise the different obstacles beneath those metrics.”

He who pays the piper calls the tune

As figures from the ACC show that corporate legal departments spent an average of $9.7 million on outside counsel in 2018, the purchasing power that US in-house departments can wield in the name of D&I is significant. Diversity Lab and the Move The Needle GCs have been quick to realise this fact, which is particularly salient when contracting external counsel.

For fellow founding GCs, U.S Bancorp’s Jim Chosy and Hannah Gordon of the San Francisco 49ers, Move The Needle has provided opportunities to open dialogue on D&I with external counsel, ensuring that diversity metrics are front and centre when deciding which firms to contract. “In-house legal departments have big role to play in positively influencing diversity with outside counsel,” says Chosy. “Given our purchasing power, we’re able to drive change and I feel an obligation to do this with our law firms, which we consider an extension of our own in-house function. We do this in several ways, including as I’ve mentioned with the Mansfield Rule, the Move the Needle Fund, and our Spotlight on Talent program. We also request and measure diversity data from our law firms to help drive hiring decisions, and last year presented our first U.S. Bank “Invested in Diversity” award, in recognition of firms’ efforts and success with diversity.”

“Move The Needle is a helpful tool for all of us who would like to ensure that we are acting really responsibly in the way that we seek and select outside counsel,” says Gordon. “We’ve had conversations with existing counsel about the importance of diversity to us, and I think the positive we’re seeing out of that is that outside counsel does listen, and does pay attention to how they staff your cases. I think there’s two things that all of us are looking at when it comes to this issue. One is, what are the overall demographics and statistics of a firm? Then secondly, who is actually the staff on your particular matter? Both of those are important.”

Varma is also acutely aware of GCs’ pivotal role in reading deeper into diversity statistics. “One of the reasons I became a founding member of Move The Needle as a general counsel was, it’s my problem. I’m the one who’s hiring outside counsel, so it’s important to recognise that there are many obstacles to improving that diversity, starting with how people get credit and how people move through the ranks of those law firms. You cannot just look at the numbers at the firm, or the numbers on my matter – you have to look at the quality of the representation you get. If I had a firm working on a matter, and I saw consistently that they had about 10 to 15% of the representation that was diverse, that could be good, or they could have somebody who is diverse at the very top level, but the people doing a significant majority of the work are not as diverse.”

Far from a trite marketing exercise, research from Deloitte confirms that companies who can unlock the collective potential of diverse teams can expect to see innovation increase by around 20%, with risk falling by 30%. Simply hiring a diverse array of people, however, is not enough to achieve these results: while diversity is the bricks that build a team, inclusion is the mortar that bonds teams and ensures members feel a sense of authentic belonging.

Moving the goal posts

Plans to mitigate sources of investigatory risk and respond when an investigation does occur must change according to the risk profile of the business. Between novel technologies, evolving sensibilities and seismic shifts within industry, regulators and investigatory bodies are changing focus regularly. So too are business attitudes toward risk changing.

Generally speaking, when asked how the risk profile of their business has changed over the past five years, 53% of in-house counsel said it had at least somewhat increased. When asked to look ahead at the next five years, 26% felt that the risk profile of their business would significantly increase over the next five years, with 61% feeling that there would be at least a slight increase in their business’ risk profile.

When looking at changing risk profiles, data breaches are a good example: it wasn’t so long ago that the range of companies that rely on the collection and use of data was limited. Now, data has pervaded nearly every aspect of commerce. Retail stores that may historically have collected very little personal data now capture all manner of information at the point of sale for loyalty programmes, not to mention the continued recission of relatively anonymous brick-and-mortar buying in favour of online shopping.

To go back further, increasingly globalised markets and supply chains have largely informed recent interest in modern slavery. Modern slavery regimes set an expectation that companies must not hide behind the strongest link in the compliance chain, instead being held accountable for the weakest link: a company in the United Kingdom may be perfectly above-board in a foreign jurisdiction, but regulators now hold those companies to the standard of UK law for their actions in jurisdictions further up the supply chain, where protections against abuse and exploitation are not as strong.

Reading the room

GC surveyed top in-house counsel from across the world, asking participants to rate their organisation’s current risk levels on a scale of 1 to 5, 1 being the lowest risk, and 5 the highest. The responses were broken up into the following categories:

  • Accounting fraud
  • Antitrust/price-fixing
  • Bribery and corruption
  • Compliance/due diligence
  • Cybersecurity and data privacy
  • Environmental regulatory
  • Money laundering
  • Sanctions evasion
  • Securities/commodities fraud
  • Tax evasion
  • Trade/foreign investment violations

Cybersecurity and data privacy risks were rated as the highest concern by survey respondents, both in terms of the risk they currently pose to businesses and how that risk was expected to change in the next five years. Cybersecurity and data privacy risks were rated at an average of 4.48/5 currently, which ballooned to 4.75 when respondents were asked to look ahead at the next five years.

Compliance and due diligence are also top of GCs’ minds – both when speaking about their organisation’s current level of risk and when looking ahead to how this might change over the next five years – coming in at an average rating of 4.27 with an expected increase of 0.22 to 4.49 in the next five years.

 

On average, nearly every category is expected to become more risky over the next five years. Bribery and corruption risks polled the biggest jump, increasing by 0.32 points on the survey’s five-point scale.

Risking it online

With cybersecurity and data privacy almost unanimously rated as the most pressing risks for GCs both currently and in the coming years, many of the in-house counsel surveyed and interviewed for this report had much to say on the subject.

‘Cyber threats form one of the biggest security risks of the 21st century,’ said Ritankar Sahu, general counsel and head of compliance for the Maxpower Group, operating throughout Southeast Asia and the Middle East.

‘Most Fortune 500 companies have been victims to some form of cyberattack leading to economic damage ranging from a few thousand to a few billion dollars. Cyber-attacks have increased dramatically in the last few months amidst the pandemic.’

Until relatively recently, it might have made sense to talk about cybersecurity and data privacy in terms of specific sectors, but the adoption of mobile platforms and cloud services – be they for internal operations, customer interactions, or both – has made cybersecurity everybody’s problem. In fact, the sector in which a given survey respondent is working had virtually no impact on their perception of cybersecurity and data privacy as a risk: GCs working for manufacturing companies were just as worried as those working for healthcare providers.

This is something that Seshani Bala, general counsel at Chartered Accountants of Australia and New Zealand, has seen personally.

‘Another big challenge is that we are trying to give customers and members a personalised experience, and to make data-driven decisions as a business,’ says Bala.

‘So, we are collecting more data to focus on that personalised, segmented experience. That increases the potential privacy risks in the event of a data breach. The penalties are very high under GDPR and Australian law. We are now seeing other countries move to a mandatory notification system that is in line with GDPR standards, and this poses greater pressure on organisations to make sure they have robust policies and procedures to quickly comply with those notification requirements.’

‘With the rapid development of online services, the risks associated with data storage and cybersecurity will develop,’ agrees Roman Kuznetsov, legal manager at WILO RUS.

Bala has worked closely with stakeholders in the wider business to make sure data protection policies are both clearly understood and rigorously enforced.

‘Once we have made sense of that, we can then drive processes and controls to reduce risk in that space. We partner very closely with our IT team. I think that has probably been the biggest change I have seen the last 12 to 24 months. I think Legal and IT need to be best of friends in-house, and you really need an integrated approach to effectively manage risk in that space.’

‘Before moving to a digital solution, I think it is really key to understand how each platform stores, secures and moves data. Mapping out that data flow process and understanding the data risks and data journey, as well as how it integrates with other platforms or plug-ins in other locations is important. It’s a given that digital solutions need to comply with applicable privacy laws but legal technology solutions also need to appropriately protect legal privilege, corporate record holding, and in-house destruction and recovery policies.’

Modern working

While the large difference between current risk and expected risk over the next five years is undoubtedly a reflection of an increasingly data-driven world, the effects of the COVID-19 pandemic will certainly also be playing a role. With home working becoming near-ubiquitous over the past few months, the volume of data being transmitted – either from workstation to workstation, colleague to colleague or business to customer (and vice versa) – is at an all-time high. This, too, means that the scope for bad actors to gain access to confidential data is also higher than ever.

‘The effects of the pandemic, and the current situation the world is in, pose several challenges for us in terms of rearranging our fraud agenda,’ says Gustavo Sáchica, chief legal and compliance officer at Allianz in Colombia.

‘In-house legal counsel need to anticipate the possibilities of fraud under pandemic circumstances. At Allianz, we have measured and stressed our risk tests in order to consider as many possibilities as possible.’

‘Due to Covid-19, increased working from home has resulted in a rise of remotely-accessed work platforms and digital ecosystems,’ says Sahu.

‘Enterprises still have lots to do before they can claim that they are breach-proof.’

‘This has made us highly dependent on technology which in turn has exposed us to more sophisticated cyber threats. For MAXpower, this has not been much different. Our fleet of gas engines are spread across remote sites in South Asia, and given applicable travel restrictions, we have had to rely extensively on our cloud based technology platform which lets us track ‘live’ operating performance, profitability and emissions from a centralised asset dashboard. The technology also lets us engage in predictive analytics and gives us valuable fleet-level insights.’

‘From a risk management perspective, I think the industry view is that enterprises still have lots to do before they can claim that they are breach-proof. MAXpower’s exposure is no less than other similarly placed power producers in the market.’

‘We constantly strive to make our systems less vulnerable to digital threats. As general counsel, I recognise that we are not breach-proof and regularly engage in conversations with our operations folks trying to gauge whether we are doing enough.’

For some in-house counsel worried about what the future might hold for their cybersecurity efforts, the risk is already eventuating.

‘We have also seen our mail servers being the victim of ransomware attacks and we have had to strengthen our firewalls,’ explains Sahu. ‘In the months to come, I am certain that companies will allocate more budget and resources to address cybersecurity risks, and I do see a rise in procurement of cybersecurity insurance coverage.’

Regulators

The interaction between the regulators’ attitudes to risk and the reality on the ground for in-house counsel is complicated. In some instances, regulators are leading the charge by focusing on an area of concern and proactively shoring up the relevant protections, or cracking down on non-compliant entities. On the other hand, regulators may have fallen behind the in-house community in how they approach these areas of concern. In this way, regulators can make a company’s compliance journey both easier and more difficult.

‘Increased oversight by regulators is reshaping the way we approach risk.’

Khaled Shivji, chief legal officer at the UAE’s Moro Hub, highlights this point. ‘In order to reduce the regulatory cost of compliance, we would be grateful to see more proactive guidance from regulators and prosecutors about the kinds of risks they believe are rated by the national and state governments as risks that, if not tackled, will diminish the country’s overall international rankings concerning white-collar crime.’

‘Increased oversight by regulators is reshaping the way we approach risk,’ agrees Armando Cruz, director at KPMG in Mexico.

And as with everything, this dynamic between regulators and the market is being redefined by COVID-19, according to Maria Alvear, general counsel at Chile’s GASVALPO.

‘In my view, the whole landscape will change after COVID-19 crisis lowers its impact. It will probably remain within us for a while and that encourages us to change our old ways of working and doing business, including regulatory risk management.

‘Regulatory risk management has been very challenging during these months, with several regulations being issued due to COVID, so it’s hard to keep up-to-date and perform accordingly. I guess this uncertainty that we are facing will remain; sticking to regulatory compliance will become more important than it is today to avoid a situation where lack of control and uncertainty give space for corruption to enter the business.’

Foreword: Latham & Watkins LLP

For companies and their general counsel – as with the rest of the world, generally – 2020 presented unique challenges. As we move through 2021, organisations of all sizes and across all industries face unprecedented forms of scrutiny, liability, and potential “bet-the-company” penalties for misconduct by US and other international regulators.

In response to the COVID-19 pandemic, governments worldwide have distributed significant amounts of emergency relief funds to help manage the pandemic and mitigate its impact on individuals and businesses. Over the course of the last year, the United States, for example, has passed the largest spending measures ever enacted, providing more than five trillion dollars in aid through multiple stimulus bills and more is being proposed. Those relief funds include oversight mechanisms based upon TARP that seek to combat potential fraud, waste, and abuse on behalf of fund recipients, paving new avenues for regulatory scrutiny.

In June 2020, the US Department of Justice (DOJ) issued updates to its Evaluation of Corporate Compliance Programs as part of its overall framework that prosecutors should consider in conducting corporate investigations. That framework will apply to COVID-related investigations. It also provides insight for GCs of corporations seeking to develop and implement a best-in-class compliance program. Among its recommendations, the guidance encourages companies to leverage technology and engage with compliance data real-time – a clear signal to businesses of the importance of data management and security in building a robust compliance program.

Additionally, although robust white collar enforcement has continued in a number of areas over the past four years, the 2020 US Presidential election will usher in a new administration that will likely adjust its regulatory and enforcement priorities on several fronts. With new leadership, financial regulators – including the DOJ and US Securities and Exchange Commission – are poised to take more aggressive stances to combat alleged corporate wrongdoing.

It is no surprise, therefore, that global general counsel are expressing heightened concern over these new and emerging challenges. To gain more direct insight into these issues, Latham & Watkins is delighted to partner with GC Magazine and The Legal 500 in their inaugural “Under Investigation: A GC Guide to White Collar and Sanctions Trends in 2021” to ask GCs about their top regulatory challenges. The following responses offer a snapshot into the concerns and risks GCs around the world have identified as top-of-mind in this evolving regulatory climate.

Douglas Greenburg
Benjamin Naftalis
Nathan Seltzer

Global Chairs, White Collar Defense & Investigations, Latham & Watkins LLP