Bob Jett, chief privacy officer at Crawford & Company notes ‘People used to joke that when a GC hears of a cyber attack or data breach they breathe a sigh of relief and say, “Thank God, that one falls to the IT team”. Today that joke wouldn’t make sense. No serious corporate legal professional thinks cyber and data risks are off their radar.’
Britton Guerrina, deputy global general counsel for technology and shared services with Deloitte Touche Tohmatsu Limited, echoes this view. ‘Cyber and data protection are increasingly important and should be top of mind for any legal team. The legal and regulatory risks in these areas have increased and continue to do so, with countries introducing increasing regulatory requirements, many of which are contradictory.’
Corporate counsel may be increasingly aware of the dangers posed to their organisations from cyber attacks, but the results to our survey of over 200 senior counsel across the US and Canada suggest their organisations take a very different view.
While 91% of legal teams were aware of their organisations’ cybersecurity efforts, only 18% said they were heavily involved in these efforts. In fact, an alarmingly high number of teams (39%) were not involved at all, while nearly two thirds (63%) were either not involved or only involved to a small extent.
Even legal teams that are involved in their organisations’ cybersecurity strategy are typically confined to a fairly narrow role. By far the most likely task falling to legal teams is ensuring the security of their own communications, data and files (84%) or providing strictly legal opinions on regulatory compliance (47%). Just under a fifth of teams (19%) reported being involved in their organisation’s wider cyber response planning, while only 7% were monitoring cyber threats across the organisation as a whole.
Businesses not involving legal teams in their cybersecurity efforts should take note: over half (53%) of the senior counsel surveyed rated their organisations’ cybersecurity defences as either poor or average. Just 13% said their organisations had excellent protection against cyber threats.
The limited involvement of legal teams when it comes to cyber security efforts is particularly puzzling given the obvious advantages lawyers would bring to the process. As Britton Guerrina notes:
‘Legal involvement is critical for various reasons, and lawyers are able to guide efforts in a wide range of areas, from helping to design the security programme to comply with privacy, employment and other local laws to advising the cybersecurity team on cyber regulatory requirements.
Legal teams can also assist with the roll out of security tools while addressing any legal impediments. They can advise which legal and regulatory requirements apply to a breach based on the facts and circumstances presented, determine whether breach notification requirements (regulatory or contractual) have been triggered, and craft notifications, interact with regulators, law enforcement, and so on. In my view, legal and cyber need to partner together, along with risk, in order to protect the organisation effectively.’
However, as Michael Shour, general counsel and secretary for Banyan Software, observes, this is likely to change as the regulatory and reputational stakes increase.
‘Legal is actually very well positioned to spearhead this area, but it is often not an area where management wants legal to focus, due to the limited resources. As class actions and cyber-related litigation increase over time, I suspect that this will continue to require an increasing amount of legal involvement.’
Plugging the leaks
Monitoring cyber risks may still be deemed a low priority for legal counsel, but the related issue of data privacy is fast becoming a key part of the legal team’s role. As one respondent, senior counsel for data and privacy at a global media and telecoms business, puts it:
‘Data protection is a growing issue, and not just because of the rise of serious and very damaging incidents which we all read about in the news. From a compliance perspective, it is the increase in country-wide and global regulations. Business has to operate as smoothly as possible, and it is our job as legal to help it do so within these regulatory boundaries.’
When asked to identify the most pressing cyber threats their organisations faced, nearly half (49%) of corporate counsel pointed to the risk of customer data being compromised. Theft of confidential business information was seen as the next most pressing risk, reported by 28% of those surveyed. As Naseem Bawa, general counsel for InteraXon, a leading maker of brainwave-controlled computing technology and applications, points out, in the digital economy data is a chief driver of value. ‘Data is part of a company’s IP and without stringent safeguards to protect and enhance its value you are leaving your doors unlocked.’
For comparison, just 2% said that direct monetary loss through theft was their organisation’s most pressing concern. While theft can be costly, it is often nowhere near as expensive as dealing with the regulators. For businesses that have yet to experience a significant data breach, comments one senior legal and compliance counsel at a large retailer, the uncertainty over consequences can be troubling.
‘The big unknown here is the way a regulators will respond. The marquee cases have been in the financial services industry, and there is some evidence that regulators will look at what a retailer is doing around data and compare it with the systems and controls that have been put in place by financial institutions. Obviously, these financial institutions have far more robust data-security arrangements in place, which is potentially something that could damage our position in any litigation.’
These risks are especially pressing, continues the respondent, in a world where customer interaction is increasingly digital.
‘Mobile payment apps and e-commerce are becoming the principal vector through which fraudsters are able to infiltrate business systems. It’s a data security issue but it’s also a cybersecurity issue that goes right to the heart of our business. That means the legal team needs to know how our IT systems work, with at least some degree of accuracy, and how those systems can sink us.’
For those unfortunate enough to suffer a breach affecting customer data, knowing how to respond is key. The advice from one general counsel at a large US medical insurer is to bare all. ‘If customer data has been compromised then you need to tell them, and you need to help them take whatever steps are needed to mitigate the risk they now face. In the first day or so after an incident everyone is scrambling around to collect as much information as possible before the company needs to report the incident, but often it will be too late for the customer if you wait a day. Bite the bullet and tell them what has taken place. And, of course, have a plan ready so you aren’t worrying about drafting the message during a firestorm. If you are facing a situation where you need to email potentially millions of customers, you will really be thankful that you planned ahead of time.’
This planning, many agreed, is among the most important steps that GCs can take. As Richard Brzakala, director of external legal services at Bank of Canada, comments, ‘The old maxim “Trust but verify” applies here. You may have best-in-class cybersecurity in place, but it needs to be tested continuously. It’s not a question of if things go wrong. They will go wrong. You will experience a cybersecurity incident or data breach eventually, so be prepared.’
On 7 May 2021, Colonial Pipeline, the largest petroleum pipeline in the US, was shut down following a cyber attack. It remained closed for five days, causing panic buying, fuel shortages and national security soul-searching. For cybersecurity experts, the most surprising element of this episode was that a key part of US infrastructure was not brought down by the actions of a hostile state (at least directly), but by a small group of cyber-criminals deploying a devastating form of online extortion software: ransomware.
After gaining access to a company or individual’s system, the attacker will make files inaccessible in some way. At the lower end of the scale, the malicious programme may simply lock the computer, an easily fixable situation for an IT professional and no great problem for a large company. But when deployed by more sophisticated attackers, the software will encrypt the victim’s files so effectively that recovering them without the decryption key is virtually impossible.
The Colonial Pipeline ransomware attack was just one of several high-profile events that have struck ostensibly secure organisations over recent months. May 2021 also saw a ransomware attack on meat processor JBS Foods, a $53bn company that is deemed vital to US food security. The attack, which led to closure of some of the company’s facilities, was reportedly ended after an $11m ransom was paid.
While the scale and severity of recent attacks has surprised many, the growing popularity of ransomware comes as no surprise to specialists in the field.
‘My first response to the upsurge in ransomware attacks lately was that we analysts have been warning about this for over a decade, and we all predicted this was going to happen’, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations.
‘Now it’s here we have another round of gnashing of teeth, but opportunities to mitigate the danger have been missed time and time again over the intervening years.’
Fortunately, even for those who may have missed the early warning signs, hope is not lost. GC speaks to some of the leading counsel and cyber experts to find out what the rise of ransomware means for business, and what lawyers can do to help prepare their defences.
The unlocked door
The rise in attacks affecting everything from water and energy utilities to fuel distribution systems is a sign of things to come. From a cybersecurity perspective, the truly frightening aspect of these attacks is that, once systems have been compromised, there is little IT professionals can do to regain control. Bhavani Thuraisingham, Founders Chair Professor of Computer Science and the Executive Director of the Cyber Security Institute at The University of Texas at Dallas, comments:
‘When the malware enters the system, it has access to almost everything, and in a ransomware attack [hackers] will encrypt everything and demand a payment in exchange for the key to unlock the files. As of today, AES 256 encryption cannot realistically be broken with modern computing methods. Unfortunately, this means that if the attack progresses to this stage, you have really no access to anything in the system unless you get the key to decrypt the data’.
Richard Forno, senior lecturer in the University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering, puts it even more succinctly: ‘If you haven’t been conducting cybersecurity best practices and a sophisticated attack takes hold of your systems, you’re screwed’.
As a result, victims of high-profile ransomware attacks have been left with little option but to pay up. In the case of Colonial Pipeline, hackers demanded a ransom payment of $4.4m in the form of bitcoin, which they promptly received in exchange for codes to unlock the company’s systems.
More troublingly, the lines of attack hackers are exploiting are not easy to defend against. For example, phishing attacks in which members of staff are fooled into downloading malicious software by seemingly genuine emails are becoming increasingly effective. This, says Forno, is increasingly dangerous given the rise of social media as a means of validating an unknown person’s identity.
‘Using artificial intelligence and machine learning, you can identify, develop and even create fake personas that are very detailed. This can allow you to make a phishing email that is much more convincing to the target, particularly if
you’re targeting a particular individual, such as the CEO of a company.
What’s more, even those who follow every reasonable security protocol and measure can, unwittingly, become a victim of the more sophisticated hacks. Increasingly, [malicious] software is being downloaded through perfectly legitimate websites via ad networks. [If a hacker] is able to compromise a content or software distribution network, malware could be injected into this such that users of a legitimate website would then be downloading malware through the network.’
React and respond – preparing for times of crisis
As the realities of new digital attack vectors and how to respond to them become increasingly evident for major corporates and their counsel, leading private practice practitioners from the WSG network share their insights and advice to help businesses prepare for the worst.
‘Ransom attacks, including larger supply chain-type attacks, continue to lead the headlines and pose a sophisticated threat to a business’s ability to operate or recover, now more than ever,’ says Batya Forsyth, partner at Hanson Bridgett and co-leader of the firm’s privacy, cybersecurity and information governance practice.
With cyberattacks increasing in frequency, severity and variety, the need for general counsel and their teams to be prepared to react and respond accordingly has fast become a business imperative, irrespective of company size or sector.
‘A response plan should set the expectations high for the organisation,’ says John Babione, a partner at Dinsmore & Shohl LLP.
‘Responding effectively to security incidents and potential data breaches should be emphasised as critical to the success, and in some cases survival, of the organisation.’
Exactly what a response plan looks like will be different for every organisation, with individual risk factors and tolerances both likely to heavily influence the final plan and procedures. However, the experts we spoke to agree on several common elements that featured in successful response plans.
‘A good security response plan sets forth a process that is easy to understand at all team levels – from general staff to general counsel – and functions well across a variety of attack scenarios,’ says Forsyth.
‘Most importantly, the plan must explain how the plan gets triggered, who makes that decision, who needs to know about that decision and the first next step for the team.’
Getting buy-in from the wider organisation and ensuring that everyone understands their individual roles in times of crisis were also seen as essential parts of successfully managing a response, with time often a critical but limited commodity in any attack scenario.
‘The plan should enlist all affected personnel as partners in a team effort in which everyone knows their daily efforts and diligence on the front line are valuable and needed,’ says Babione.
This engagement though, shouldn’t be limited to times of crisis says Babione, who instead advocates for an always-on approach to monitoring for threats and being prepared to respond – an approach that emphasises mitigation as much as it does preparedness.
‘To do this, the day-to-day IT environment, applications and tools must support and encourage employees to be watchdogs, looking for trouble and reporting it up the chain of command,’ he explains.
‘This engagement of the workforce and management as the hands and feet of the response plan turn the plan from a piece of paper into what it needs to be – the means by which the organisation can respond quickly to incidents to prevent them from turning into a data breach or other harmful cyberattack.’
This type of attack, say the cybersecurity experts interviewed for this report, has already been detected on some of the world’s largest website, often with little or no awareness among their users.
Adds Thuraisingham: ‘Ransomware spares no one. It could attack an 80-year-old great grandmother, a major financial company or even critical infrastructure. With that said, the more pain the attacker causes, the more publicity they get and the more money they can extort; sectors that allow them to cause maximum damage may therefore be more vulnerable. These will include major hospitals, government organisations and, especially, financial companies.’
Of course, cyber experts are aware that ransomware attacks are now big news, and that reporting biases undoubtedly skew toward them. Even so, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations, the underlying reality is that such incidents are on the rise. In fact, says Fidler, the true extent of the problem has probably been under-reported.
‘There has been an increase in ransomware attacks, and that increase has been felt across the entire corporate sector in North America and beyond. Beyond this, there is a large number of institutions – typically hospitals or
other bodies that hold large volumes of data – that have been victims of ransomware attacks without the public or media ever becoming aware of it. So the problem is growing and the scale of the problem is perhaps larger than one would imagine.’
The GCs who came in from the cold
From the perspective of the US government, ransomware is a clear and present danger. The increase in the size, sophistication and public awareness of these attacks, as well as their ability to damage critical infrastructure, puts general counsel on the fault line of what, for some organisations, will be the most important challenge of the coming months.
‘The connection between criminal ransomware attacks and how the United States government perceives our adversaries as providing havens for cyber criminals is key’, says Fiddler.
The government has already accused Russia and China of tacitly allowing cyber criminals targeting US companies to operate free of constraints. We’re seeing movement toward more offensive actions on the part of the US government aimed at cyber-criminal organisations based in potentially hostile territories because, clearly, our defences are not effective in preventing these attacks.
If the government does move in that direction, that is a much more dangerous context for businesses to be in, because we do not know cyber-criminal groups are going to respond. They could become even more sophisticated and try to test how much further we’re willing to escalate’.
The thought that corporations might unwittingly get caught in this cat-and-mouse game of testing and defending critical infrastructure is no longer an abstract item on the risk agenda. Even smaller companies that are not deemed essential parts of the US economy now face the prospect of becoming collateral damage in the tit-for-tat exchanges brought on by the escalation of opportunities for cyber attacks and the escalation of deterrence by punishment.
‘For GCs, understanding the potential threat is key’, adds Fidler. ‘Understanding what the threats are from this potential escalation on the part of the government may help persuade the C-suite of the need to make more investments in their own cyber defence.’
Of course, only a minority of companies will fall victim to the most serious of incidents, but indirectly almost every single organisation will end up paying the price, whether through increased demands on security and compliance or changes to their relationships with customers and commercial partners.
Insurance has long been one of the major tools used by corporates to mitigate their exposure to cyber risk, but as the number of cyber-related insurance pay-outs topping seven figures grows, policies are being hastily rewritten.
‘[Last year] was an unprecedented year for ransomware attacks and the payment of related insurance claims’, notes Lavonne Hopkins, senior managing legal director for security, resilience and digital at Dell. ‘As a result, the cybersecurity insurance market is hardening as insurers revaluate how to keep their cyber insurance offers profitable.
I have observed that insurers are focusing more on evaluating organisational cybersecurity maturity and preparedness when making coverage decisions and determining premiums and deductibles. We can only expect this trend to increase. Organisations should start to prepare for a future that potentially excludes ransomware coverage from cyber liability policies and requires self-insurance models.’
A worrying thought. And even those who can find suitable policies should not be complacent against the threat, says Thuraisingham.
‘Certain insurers are now offering specific products that cover the threat of ransomware attacks but relying on this can be extremely risky. To activate the coverage a company must first lose its data in a ransomware attack; only then will the insurer release funds to pay the ransom.
This is obviously not ideal, as the protection offered does not typically compensate for the reputational damage or staff costs associated with the incident. I would advise taking all the preventive measures you can before relying on insurance.’
The price of this sort of ‘kidnap insurance’ coverage is also likely to increase markedly as insurers keep a watchful eye on cybersecurity developments. A report issued recently by Hiscox, an Anglo-Bermudan insurance provider that specialises in niche categories of risk, noted insurers faced a 50% year-on-year increase in pay-outs for cyber-related policies, with ransomware attacks accounting for the biggest contributor to this growth.
Outsmarting the hackers
Even the most generous insurance policy can only be triggered once a cyber attack has taken place, by which time financial compensation alone may not be enough to repair the damage. For general counsel, the only real way to defend against risk is to go on the attack.
David Mace Roberts, general counsel of transport information systems provider Electronic Transaction Consultants (ETC), has been working to keep one step ahead of cyber attackers for many years. For Roberts, the most notable feature of a good cyber risk plan is that it looks unlike anything else on the market.
‘A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry.
Thuraisingham echoes Roberts’ comments. ‘Just as with health concerns, the best method is prevention. Protect all your systems, data and processes so that the attackers cannot gain access in the first place. Perhaps most important, companies that do not mandate backups and do not have extremely stringent security policies are most in danger. Do continuous backups of data and processes. I cannot emphasise proper backup procedures enough’.
Indeed, as Richard Forno notes, none of these measures are difficult to implement, but business has tended to ignore expert advice for too long.
‘The problem I see is that a lot of companies and governments of all sizes fail to do basic cybersecurity best practices, things that we in the industry and academia have been urging people to do for 20, 30, 40 years. This can be things as simple as having a really strong password or using multiple forms of authentication for critical or sensitive systems’.
The most important aspect of effective defence against a ransomware attack, however, comes with employee training. Human error is overwhelmingly likely to be the biggest weakness in a cybersecurity defence package, as well as the first thing a criminal group will look to exploit. To guard against this, says Roberts, the only option is to train relentlessly, ‘If you only train once a year then training loses its impact and offers minimal protection.’
Lavonne Hopkins of Dell agrees. ‘Unfortunately, ransomware most frequently originates from human error, and over half of ransomware victims suffer repeat attacks. Training and education are critical to ensure a comprehensive cyber preparedness strategy and prevent these ransomware attacks. Organisations should mandate cybersecurity training, including phishing training, for all employees and contractor. Employees are the first line of defence and need to be equipped with the knowledge to help prevent an attack’.
Before any of the above can take place, senior management needs to take the risk to business from cyber attack seriously. As Thuraisingham notes, it is all too common to encounter business leaders who consider cyber strategy as a matter for IT professionals.
‘When you’ve hired the best risk analysts and cyber teams money can buy it is very easy to conclude that you’ve done everything you can. This is fundamentally wrong. Businesses will always be vulnerable to these attacks, so there needs to be a constant awareness of just how serious the consequences can be.’
Unfortunately, awareness of cyber risk as among the c-suite seems to remain limited. Our survey of over 200 general and corporate counsel in North America revealed that while legal teams felt there was a very high risk of cybersecurity breaches to their organisations, fewer than half were actively involved in shaping cybersecurity risk planning.
For many organisations, it may come back to haunt them. As Roberts concludes, ‘If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. Do you want this on the front page of the Wall Street Journal or the Washington Post? Do you want to have to answer to the boards, or to the securities regulators? If not, then taking the risk seriously now is the best defence.’
When legal moves fast, business moves fast. Time kills deals, and often moving at speed is imperative. For in-house counsel, the need to move quickly can be a source of tension. No lawyer wants to hold business back, but it takes legal time to review a contract and ensure compliance. Rushing can generate risk that comes back to bite you.
This longstanding tension is not only a problem for GCs. At a basic level, all lawyers are contracts lawyers and all the businesses they serve are contracts businesses. The contract is the most fundamental unit of commerce. Whether it’s an offer letter, an employment agreement, a stock options agreement, a vendor agreement with a third party, a sales agreement, a marketing agreement, or any other form of agreement, business relies on processing contracts at speed.
The sweet spot is when you’re moving quickly and responsibly. The tension between speed and risk is something lawyers have struggled with for a long time. You cannot put yourself in harm’s way just to move quickly, and you cannot put yourself in a position where you’re losing deals because legal is taking too long to process contracts. When you’re moving at speed without compromising internal rules or policies, you’re doing well.
At Ironclad, and among our hundreds of customers around the world, we have worked to tighten the relationship between legal and commercial teams. Ironclad is the preeminent digital contracting platform for business. Our focus is on the end-users, whether they are in sales, HR, marketing – any function or professional that deals with contracts can benefit from the platform. We do not consider ourselves a legal tech company. Our enterprise-wide software is often deployed and administered by the legal department, but it frees lawyers from having to generate contracts.
When I run orientation sessions for clients, I like to begin showing a painting from the seventeenth-century, The Village Lawyer by Pieter Brueghel the Younger. It depicts a lawyer sitting at his desk surrounded by mountains of paper. A queue of people stands around waiting for his time. The one thing blocking them from going back to business is waiting for an interpretation. And that interpretation is likely to be something relatively simple. “What does the contract mean, what terms or provisions are contained within it and who owes what to whom?”
Too often, this is still the case today. Legal is the central hub for contract review. It is also the chief bottleneck when it comes to speed of business. At Ironclad, we are changing that by powering the world’s contracts in a way that legal teams love.
For example, using our no-code workflow builder the legal department can generate contracts and templates for any number of purposes. With Ironclad, a single workflow can produce hundreds of different versions of a document, whether it is a Non-Disclosure Agreement, Enterprise Services Agreement or any other commonly encountered legal document. This means various teams across an organisation can generate their own contracts while staying safely within the guard rails set by legal: Who can sign which contract? Who is part of the approval authority matrix? Does that change if the contract rises over certain financial thresholds? All this is stored in a fully searchable repository so things like data breach notification obligations can be identified at the click of a button.
Ask not what your company can do for you
As legal tech matures it is not only allowing GCs to do their jobs faster. The really exciting thing is that tech is now changing how GCs can bring value to their companies. To take one example, I can now look at our sales contracts and know which of them has gone through one round of red-line edits, and which has gone through two rounds of red-line edits. That allows me to identify patterns in the data. I can see that when a contract has gone through one round of red-line edits the probability of a deal closing is at a certain level. With two rounds of red-line edits that probability rises significantly.
That is the sort of data that GCs just didn’t have access to before. It means we can more accurately forecast what the quarter is going to look like using data generated and held within the legal function. That’s just one of dozens of applications you can put legal analytics to, and it is exciting to see what is now being done with this sort of information.
If you’re a GC and you don’t know where all your contracts are or what’s in them then there’s a lot of room for you to significantly up-level your compliance measures. Recently, Ironclad acquired PactSafe, an Indianapolis-based clickwrap transaction platform that enables companies to process high volume agreements. From create to review to negotiate to sign to store and repository, contract lifecycles do not just exist for B2B contracts. For a growing number of businesses, monitoring B2C contracts is becoming essential.
We’ve all been through the experience of signing on to terms of service in the B2C space. Whether it’s Uber, Spotify, or any of the apps and services we have come to rely on, we have all given manifest assent to a contract by clicking a box. Behind the scenes, companies need a way to manage those millions of clicks. When facing litigation or a potential class action, companies will need to identify which users signed what agreement. To get even more granular, they may also need to quickly come up with evidence that most, if not all, of a proposed class had signed an agreement containing the relevant arbitration clause. That sort of litigation is highly likely when you’re a successful company and having the tools to manage and process large volumes of data is key. We are excited to explore how this process of manifest assent – a process very similar to e-signing – can be used more widely in the B2B space.
No excuses
For many lawyers, legal tech has been a series of false dawns. It has often promised to revolutionise the way lawyers work, but it has rarely delivered. That, finally, is set to change. For the first time ever in the history of the legal profession there is cutting-edge technology that allows us to do our jobs more effectively as lawyers. The whole profession is now waking up to what it can do differently, and in-house legal teams are driving this change.
In-house teams used to ask their law firms about technology. Now it’s the reverse. GCs are encouraging their firms to adopt technology, and firms are hearing about the most useful software and tools from their customers. But technology is only one part of this transformation story. The rise of legal operations as a specialism has been just as exciting.
For years every department at a major company has had its own ops function. Marketing, engineering, sales – all of these departments have relied on operations professionals to keep them moving. Now we are seeing that in legal teams, and it is having a transformational impact on the way systems, processes, people and tech work together.
GCs have always faced the same question: how can the legal department cope with increasing work volumes as a business grows? Are you going to add bodies as legal departments have done for decades now, or are you going to use technology and smarter processes to scale up? Increasingly, technology is the only viable option. I have made it my goal as GC to practice what I preach. At Ironclad, we have one commercial counsel servicing over 60 salespeople who negotiate up to dozens of deals each day. The only way that’s possible is by leveraging our own system.
My goal as a legal leader is to have one of the leanest departments out there. A lot of GCs talk about wanting more headcount – I take the opposite approach and ask how I can keep the team as lean as possible. For legal teams struggling to stay on top of things, try this: instead of scaling by adding more people, scale with systems. Measure the success and improvements you can get through using the right tools and processes. The results will convince you that technology can have a transformative and liberating impact on the legal team.
Chris Young, general counsel for digital contracting platform Ironclad notes that ‘In-house teams used to ask their law firms about technology. Now it’s the reverse. GCs are encouraging their firms to adopt technology, and firms are hearing about the most useful software and tools from their customers.’
For many firms, this will come as unpleasant news. But there is an upside. As Young points out, ‘In-house lawyers will always need law firms, and the industry won’t be transformed by one side alone. The more forward-thinking law firms should see this moment of change as an opportunity to gain a competitive advantage and become a true strategic partner to their clients.’
Judging by the results of our survey, it is an opportunity many have failed to grasp. Under half (45%) of the more than 200 senior counsel we polled for this report said their firms were using technology to deliver legal services and solutions, while a similar number (41%) were unsure how their external firms were resourcing matters.
As one respondent noted, ‘Knowing what goes on at a lot of firms is a game of Schrödinger’s Cat. They may be using some pretty sophisticated software to bulk process our matters, but they are unlikely to tell us about it unless we push them.’
This lack of transparency was widely cited as a source of frustration. Indeed, nearly three quarters (74%) of those we spoke to said they were not satisfied with their firms when it came to technology.
Law firms should take note: 88% of legal teams said it was important that their law firms kept up with developments in technology, with 32% saying it was crucial for them to do so.
We should not place the blame entirely on law firms here. In-house lawyers may complain that their firms behind the curve, but fewer than half (44%) are asking about their external advisers’ use of technology when undertaking
panel reviews.
With so many GCs either unsure of or dissatisfied with their firms’ use of technology, it is no surprise to see that few are looking to them as a source of inspiration. Just over a third of respondents (38%) said they now looked to their firms for guidance when it came to finding or implementing legal technologies, while under a quarter (23%) reported having been advised by their firms on the use of specialist legal technology. Only 21% of respondents said their firms had offered to share technology with them.
This, for some GCs, has been a dealbreaker. ‘One of the factors that motivated me to change firms was the lack of use of technology by my old external firm’, comments the general counsel of a large commodities business.
Of course, the technology used by law firms is often very different to the technology needed by corporate legal teams. Firms tend to operate in scales and volumes that are far beyond the requirements of their clients, making tech transfer a far from simple matter.
Even so, it may trouble those in private practice to know that legal teams are beginning to look for solutions elsewhere. Almost half (47%) of those surveyed said use of technology within the legal team had already impacted their relationships with external firms.
The good news? Law firms that take a proactive approach are winning clients. As Michael Shour, general counsel and secretary of Banyan Software, concludes:
‘If a firm is wise to the implementation of appropriate technology solutions, it can allow them to complete tasks more efficiently and cost-effectively. When I see a firm doing things like this, I can’t help but appreciate that they are driving efficiently for their clients and am impressed that they are on top of things – and that can only be a good thing for business.’
I have been working on data privacy since before it was a recognised area of law. When I started out, what is now understood as privacy was part of a company’s compliance programme and fell to its compliance officers. Of course, privacy still falls under compliance, but it has become a unique feature of the compliance programme.
To oversimplify things for the sake of making a point, privacy is just compliance with an IT flavour, and it is something I have been giving presentations on to boards of directors and executive management for over a decade.
It’s funny, because I still have a compliance-based approach. I come to the meetings with only four slides. At first, everybody looks at me like I am out of my mind, but they soon understand that we don’t need many more to understand what privacy is all about.
Essentially, privacy in an organisation can be reduced to four fundamental questions: Which data are we collecting? Why are we collecting it? What are we doing with it? And finally, where does it go to die?
In reality, privacy and compliance programmes have to be a lot more detailed, of course, but at the end of the day, if a company can effectively answer these four “Ws”, I would argue that it has a very robust programme.
While the fundamentals of privacy have stayed the same, the environment businesses operate in has not. In particular, the general public is becoming more aware of privacy issues, and the last of the four “Ws” has taken on a new importance. Companies cannot keep data forever and they must find ways to get rid of the data they do not need in a secure manner. Businesses must also remember that security is always key when it comes to privacy. If you’re storing data in the cloud then to a large extent you are relying on a third-party. The quality of its controls and server management may be exceptional, but it is a potential gap in your security.
As chief privacy officer, I work with the chief information security officer daily. Together, we have built an incident response plan for privacy and another for security, but the two are intertwined. My management agreed to it because we demonstrated that cybersecurity breaches are, almost invariably, a threat to privacy. That’s why I would advise counsel to always take the two threats together. You rarely discover one without the other.
Technically speaking, security has improved a lot in the last twenty years. We have created automated tools that can support anyone’s privacy policies. So much that nowadays, most ransomware attacks are due to human failure or insiders. The old approach of making a brute force attack on a server typically does not work anymore. Consequently, the bad people have gone back to tried-and-true technics, like spear phishing, which lead to attacks that take advantage of social behaviours.
I have seen an 80% increase in phishing attacks in the past few years and it has gotten even worse since the beginning of the pandemic. These are often very targeted and very well thought-out from a social engineering perspective. Hackers know that we work and live on our computers and smartphones, and it just takes one careless mistake form an employee for them to download IDs and then access all or part of your system. It is a little scary, and board members are generally very worried about phishing, but privacy professionals are here to help.
I have been tracking what may happen, during and after the pandemic, as regards to medical records. Form a privacy point of view, they have always been sacrosanct, and I think that we are going to start seeing that peel back a bit.
In the US, there has been a lot of hue and cry over vaccinations because there is this tension between the Occupational Safety and Health Administration’s requirements and the level of security that is reasonable to expect from companies. Employers have an obligation to maintain a safe workplace.
This includes protecting people from airborne diseases. Therefore, for them to carry out their duty, they should be allowed to inquire if their employees have been vaccinated against Covid.
These things have never really been allowed in our modern societies, so the ways in which this will play out should be of interest to every privacy professional and general counsel.
Privacy law is a subject that has interested me for a long time. Even as a college student – although I was the paragon of a classic liberal arts major who avoided hard sciences – my best paper was on comparative law issues between French and American rights to privacy. However, it was not until I began working as a lawyer that I started engaging with cybersecurity and data protection as anything other than abstract concepts.
In my early career I was a communications lawyer and a litigator in the cable television and telecommunications industries. These are sectors that have had privacy protections for customer data for some time – in the case of cable television these protections date back to 1984. Working in that field gave me a lot of exposure to communications technologies and helped me to understand how various systems operate, the type of data flowing over them and what sort of information is captured by providers.
When I joined the Department of Commerce as general counsel in 2009, I was aware that privacy and cybersecurity were becoming increasingly important issues. Even before I was confirmed by the Senate, we spent time working on these topics, thinking about what we should be doing. Very early in the Obama administration, after I had deepened my familiarity with the matter, I advocated for action to deal with privacy issues.
The government seemed interested, and the White House empowered me to lead an Inter-Agency Committee to look at this more closely, which led to the development of what ultimately became the Consumer Privacy Bill of Rights Act in 2015. This was a compelling leap forward.
I resigned as Acting Secretary of Commerce in late 2013, since which time I have been a visiting scholar at the Massachusetts Institute of Technology Media Lab and at the Brookings Institution, where I am a member of the Center for Technology Innovation. My work at these institutions follows the ways in which public policy and the law is adapting to the evolution of technology, but also to design better governance for advanced and transformational technologies such as artificial intelligence.
Over the past decade or so, I have been involved in high-level exchanges on artificial intelligence policies among several countries – the US, the UK, Canada, Singapore, Australia, Japan, and also with the EU. Along with other experts, I have been looking at opportunities for stronger international cooperation on this front. The appreciation that such cooperation is necessary has certainly grown over this time, and the channels allowing for inter-governmental cooperation have become much more sophisticated.
My experience in politics and familiarity with legislative processes has undoubtedly helped me in this work – it is impossible to design good governance without appreciating how things get done at a governmental level, how to gauge what is possible, and how to frame issues in ways that speak to members of Congress or to the public.
This is especially important when it comes to topics such as analytics and big data. Because of their ability to discern unique patterns in a data set, or to link one data set with others, these technologies are turning things that have traditionally not been regarded as personal information into powerful and exploitable data sets.
In such an environment, defining limits and setting legal requirements can be more complicated than ever before. There is so much value in data now that society and enterprises have increasingly important interests in how it is used. That is why, even after a life spent in the field, I still consider the legal implications of technology to be among the most important questions we face today.
In 1954, The Westinghouse Electric Corporation unveiled the world’s first colour TV. With a price-tag of $1,295 – or nearly $20,000 in today’s money – the H840CK15 was the type of luxury purchase that stood as a solid signifier of economic success.
‘I grew up in a world where lawyers were among the few middle-class professionals who could afford the latest technology’, comments one senior lawyer at a large multinational bank.
‘Now, we are among the few middle-class professionals that ignore technology. It’s a strange thing that so many lawyers have chosen to overlook the transformative power tech has had on the world of work, and I am part of a growing number of in-house professionals that seeks to address the oversight.’
To rephrase the problem – well-known in economics – why does the cost of technology consistently fall relative to the rate of inflation while the cost of services, encompassing everything from healthcare to education continues to rise?
The answer, in short, is that machines cannot (yet) do what humans do. What machines can do, however, are the things humans do not want to do. From this perspective, technology is not a threat but an opportunity. It allows lawyers to move higher up the value chain. And, let’s be honest, no one wants to be stuck doing low-level work.
‘Lawyers are afraid of technology taking their jobs’, comments Lisa Marcuzzi, general counsel and country counsel for ArcelorMittal Dofasco in Canada. ‘But I don’t know of a single lawyer that feels unhappy that they will have to give up reviewing NDAs or sales agreements. As far as I can see, technology will free lawyers to do the jobs they trained for.’
The wider in-house legal community in the US and Canada clearly agrees. While 90% of respondents felt that technology had disrupted the legal profession over the last five years, and nearly all (97%) felt it would do so over the next five years, over three quarters (76%) said this disruption was a positive outcome for the legal profession.
Far from fearing tech, in-house lawyers are waking up to the freedom it can grant them – 87% of those we surveyed said their wider teams were receptive to the use of technology, while 78% said their businesses were supportive of finding new ways to work.
This widespread optimism, many respondents pointed out, was based on direct experience of available technologies. ‘I spent many years reviewing and negotiating documents that were up to 100 pages long’, commented one general counsel in the finance sector. ‘Typically, 90% of that document would either be boilerplate or unnecessary. If I add up the time I have spent reviewing superfluous material and account for cost then it comes to a shocking level of waste.’
In short, corporate counsel are looking forward to the freedom tech will grant them, and few fear their jobs are at risk. As one respondent commented, ‘The idea that lawyers will be replaced is just not realistic. Imagine a Fortune 500 company dismissing its legal team and saying, “we’ll just rely on technology to do all this stuff.” It won’t happen – it would be insane.’
What will happen is a continuation of the trends that have been in play for several years. The in-house legal team will move closer to the time-critical or economically important aspects of the business, law firms will be brought in to help with the types of matters where it just doesn’t make economic sense to employ a team of internal specialists, and technology will be used to remove a lot of the work that was never strictly legal work in the first place.
Eleanor Lacey, head of legal and general counsel for work management platform Asana, comments: ‘In the knowledge sector, tech never works by replacing people. It works by augmenting people and freeing them up to work on higher-value matters.’
‘There is a great sense of freedom now that we as corporate legal teams can really solve a lot of the problems we have seen time and again by introducing often inexpensive tech fixes. It’s a great time to be working in the legal industry. Anyone who says otherwise is just not seeing the big picture.’
Moving up the value curve
What are the grounds for this optimism?
Let’s take the single most important item an in-house lawyer deals with – the contract. Lawyers deal with contracts. Lots of contracts. So too do their employers. As Chris Young, general counsel for digital contracting platform Ironclad, puts it, ‘At a basic level, all lawyers are contracts lawyers and all the businesses they serve are contracts businesses. It’s the most fundamental unit that commerce is based on.’
In this contract-driven world, the central hub for contract review runs through the legal department. When a business grows, how does its legal department choose to scale? Does it add bodies, or does it use technology to scale up and meet demand?
For the last several decades, the answer to that question would have been the former. General counsel had one demand above all else: more staff. As our survey of legal teams in the US and Canada shows, attitudes are changing, and the answer is increasingly likely to be “new ways of working”.
Central to the evolving skillset of the in-house counsel is getting comfortable with communication. Those we surveyed were clear: documentation can be automated, and any lawyer who is essentially reading a document aloud can be replaced at will. But that, many feel, is a good thing. The rise of legal tech means the in-house team can finally sound like the rest of the company.
‘We don’t need to tell business, “The documents say this”’, comments one respondent, senior counsel at a large US medical services provider. ‘Any literate person can see what the documents say. We’re guardians of nothing but the obvious if we tell them what they can read for themselves.
‘That’s great – being freed from routine tasks is not a case of lawyers being replaced. It’s a case of lawyers being able to use their skills for the benefit of business. We should embrace it. Lawyers have been trained to do some very sophisticated work, but large parts of the contracting process are not that work. If we can relegate that to a system or use technology to complete it then we are going to have a lot more time to do the work that is expected of business leaders. The days of pushing paper around may finally be over.’
Reforming data privacy laws may not sound like a move destined to leave an enduring political legacy, but in policy-making circles the tropic casts a surprisingly long shadow.
‘One of the major hang ups of US leadership role has been the absence of a federal commercial privacy law in the country’, says Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).
For many, the most puzzling question of all is why there is still a debate about the issue. In a world where data, and the power to regulate its use, is becoming a central part of statecraft, the United States is conspicuous in lacking a national data privacy law.
A decade ago, when the Obama administration started discussions on strengthening privacy regulations in the US, the business community considered the initiative as an unwanted and unneeded interference. Since then, it has become clear that the alternative may be far less palatable.
‘We are pretty quickly going down the path toward fifty plus privacy laws, which is the same place we have found ourselves with data breach notification law’ says Liz Benegas, general counsel of enterprise management software provider Totango.
Bob Jett, head of global privacy and risk at Crawford & Company, says the case for a federal law has never been stronger. ‘As citizens and consumers, we are only going to increase the number of things we do online. We can also see that some of the largest tech companies are stepping up and saying they want to be accountable for what they are doing in terms of privacy. They have realised that if they don’t self-regulate, the government might come up with stricter regulations than anticipated.’
Privacy, protection and pragmatism
New ways of working and the technology that enable them are creating all-new challenges for businesses – both legal and otherwise – with data privacy a headline concern for corporates of all shapes and sizes. GC speaks to leading professionals from across the WSG network to find out how they are advising clients navigating an increasingly complex corporate environment.
‘Technology has reshaped every aspect of legal life from the way research is completed, to how documents are filed, and, with the pandemic, how we appear in court via remote video platform,’ says Robert McFarlane, a partner at Hanson Bridgett and leader of the firm’s technology and intellectual property practices.
‘With remote applications come increased risks. All businesses, including law firms, must employ electronic and cloud security measures that minimise the chances of data leakage and the compromise of confidential client materials. We invest heavily in security measures and training and advise our clients to do the same.’
Critical to effectively evaluating current measures and implementing training – particularly from the perspective of corporate counsel – is a thorough understanding of the contemporary rules and regulations applicable across all relevant jurisdictions.
‘The keys to mitigating privacy incidents are actions taken prior to the incident itself,’ explains John Babione, a partner at Dinsmore & Shohl LLP. ‘For organisations operating across state lines in the US or internationally, the work done before an incident to know and understand what laws apply to the data flowing through the organisation will reap tremendous benefits for mitigating the harm.’
But in an area that is evolving as quickly as data privacy and protection, staying abreast of the rules of engagement – particularly when extraterritorial considerations are now also frequently at play – and managing the varying expectations and requirements represents an ongoing challenge for general counsel.
To manage this, Batya Forsyth, a partner at Hanson Bridgett and co-leader of the firm’s privacy, cybersecurity and information governance practice, advocates for maintaining the highest possible standards across the organisation.
‘We typically recommend clients comply with the strictest state privacy laws that could apply to their businesses,’ she says.
‘In recent times, this would be California state law—namely, the CCPA and upcoming CPRA, which goes into effect in 2023 and is very often compared to the GDPR, the EU’s well-known, highly-restrictive privacy scheme.’
Managing the challenges of data in the modern corporate environment can’t be limited to just in-house considerations though, with Forsyth advising that external suppliers and contractors be held to the same high standard as internal stakeholders.
‘GCs must have confidence that the vendors critical to the functioning of their business are committed to and are, in fact, protecting themselves as well,’ she says.
‘A comprehensive vendor management programme should provide a clearinghouse of relevant contracts, a thorough understanding of each vendor’s contractual security promises and insurance commitments, as well as a current audit of select vendors where appropriate. If contract provisions are missing or too lax, GCs should consider negotiating amendments or revisions at renewal.’
Public demand for new privacy laws has tended to be weaker in the US than other developed countries, though the disruptions of the last year and a half – pandemic-related issues like vaccine certificates, digital contact tracing and mobile health apps – have helped put privacy and data security at the forefront of public debate.
A recent poll by data intelligence organisation Morning Consult shows that 83% of voters wanted Congress to prioritise privacy legislation. Surprisingly, those who identified as Republicans were just as likely to hold this view as those who identified as Democrats.
For Cameron Kerry, a visiting fellow at the Center for Technology Innovation at the Brookings Institution, visiting scholar at the MIT Media Lab, and former general counsel of the US Department of Commerce, the significance of strong data privacy laws goes beyond the short-term benefits it would bring to consumers and businesses.
‘In terms of the international picture, 2021 is a very important year for determining whether people can truly put their trust in American companies and technologies. Businesses want to see a consistent national standard rather than a variety of state standards that mean they have to re-engineer their systems each time they move to a new state.
‘American business has already had to adapt to GDPR, and many companies have internalised a lot of these practices and have acknowledged their advantages for themselves and their clients. There could not be much more fertile grounds for a federal law than we find today.’
Whether or not the US moves to pass a federal data privacy law, the number of states passing their own legislation has ramped up to the point that keeping track of developments can sometimes be a challenge even for the professionals. It also means that, whatever the next four years hold, the state of data privacy in the US is a question every GC will be following closely.
We spoke to those working at the sharp end of data privacy to find out what developments corporate counsel should be paying attention to.
A hill worth fighting for?
The drive to protect private citizens’ data in the US is arguably older than the country itself. Long before he worked to draft the Declaration of Independence and the US Constitution, Benjamin Franklin used his position as Postmaster General to ensure the privacy of communications sent by mail (to this day, the Fourth Amendment protects letters from search and seizure).
Subsequent lawmakers followed in this tradition, and in the last 50 years alone the US has introduced several notable pieces of privacy legislation, from the US Privacy Act 1974, which contained important rights and restrictions on data held by US government agencies, to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which laid down data privacy, security and confidentiality rules for health insurers.
In short, the US has never been inattentive to the importance of privacy. But for GCs struggling to navigate the patchwork of laws across governing data privacy across the country, the big hope is that the Biden administration will finally push for a comprehensive nationwide legislation.
In the run up to the presidential elections in November 2020, privacy specialists were convinced that, whatever the outcome at the ballot, federal legislation would soon follow. Draft bills from both sides of the aisle were circulating in Congress, and when Senators Roger Wicker (a Republican) and Maria Cantwell (a Democrat) introduced the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (USCDPA) in November 2019, it seemed like an often-polarised political system had at last found common ground. That the election ultimately swung in Biden’s favour only served to reinforce this confidence.
‘Parts of the Trump administration had an interest in weighing in on privacy legislation and trying to help move that forward, but there wasn’t any high-level interest in this issue’, says Cameron Kerry. ‘However, Biden, and certainly some of the people around him, have said explicitly that the US should adopt privacy legislation.’
Since then, there have been further signs that data privacy may come into sharper focus. On 12 May 2021, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. While cybersecurity and data protection are not the same thing, there is a close relationship between the two on a legislative level.
As Liz Benegas, general counsel of enterprise management software provider Totango comments, ‘you can have security without privacy, but you cannot have privacy without security. We all know the emphasis the US put on national security recently. Developing comprehensive framework for each is difficult and takes time, but now that our systems have been hardened, privacy should be added to the legislation list as well.’
On that list there is already the Information Transparency and Personal Data Control Act, introduced in March 2021 by Representative Suzan DelBene. While the proposed Act is not as wide-ranging as the European Union’s General Data Protection Act (GDPR) or existing Acts applying in certain US states such as the California Privacy Rights Act (CPRA) and Virginia Consumer Data Privacy Act (VCDPA) in particular – it does not contain the right to access personal information or the right to collect or delete information held by a controller – it does include a pre-emption provision, meaning that, if adopted, it would supersede state laws relating to data privacy.
This, believes Cameron Kerry, points toward a credible impetus for legislative change. ‘There is still the opportunity, interest and conditions to get it done [in the US]. A lot of good work has been done by Capitol Hill in both Houses to understand the issues. Key Republican and Democratic bills in the Senate are pretty close on these issues. A few points still need to be resolved, particularly pre-emption and private right of action, but there are some potential paths ahead.’
Speaker of the House of Representatives Nancy Pelosi has already stated that the House would oppose any federal law that does not include the same level of protection as COPRA, and it is likely that the question of the pre-emption is going to be a huge stumbling block.
However, comments Julia Reinhardt, Mozilla fellow in residence, privacy consultant, and a former German diplomat specialising in EU privacy policy, ‘the Biden administration realises how important this is for industry, for people, for consumers and for international data transfers, so I really hope that it will find ways push this project ahead.’
‘Privacy is a big horizontal topic that regulators have been working on for decades. GDPR may have a few gaps, but it was a big step ahead to have one regulation for a large, contiguous market. The EU member states each had their own privacy laws before GDPR harmonised a general law for the 27 countries.’
Hurry up and wait
While there are of course certain differences of context between the US and EU, the European experience shows that none of the problems facing federal data privacy legislation are insurmountable. Except perhaps one.
Bob Jett, head of global privacy and risk at Crawford & Company, the world’s largest independent provider of claims management to the risk management and insurance industry, believes North America is sufficiently culturally distinct to make any parallels problematic.
‘The unique difference between data privacy in North America and in Europe is that Americans and Canadians, for the most part, do not consider their personal information to be a fundamental right. Most of us are willing to give up our rights to privacy for convenience or speed.’
‘In the US, we are much more worried about cybersecurity, because of the potential impact that has on our infrastructure, our ability to use our credit cards, or to get gasoline and to travel.’
A difference in European and American cultures of litigation could also become an issue. While Europe has yet to witness a wave of GDPR-specific class actions, the long-tail of these types of cases makes its difficult to know whether that is because they do not exist or because they are currently working their way through the system. If it turns out to be the latter, it could be a big warning sign for US businesses.
‘Regulations can become litigation tools’, adds Jett. ‘This is one of the things I have been tracking, because in the US, there is a fear for class action lawsuits around this. And such lawsuits have actually started to be filed in California.’
Even supporters of a federal data privacy law concede there is more groundwork to be completed, particularly around the issue of private rights. ‘The question around the rights for individuals to bring lawsuits for privacy violations coming from companies is crucial’, notes Reinhardt.
‘The volume of cases and magnitude of fines tend to be significantly higher in the US compared to Europe, so it may be necessary to include some provision that only allows attorneys general at the state level to sue.’
While these debates play out among lawmakers, GCs will have to go about complying with an increasingly complex patchwork of laws on a state-by-state level. But deliberation among lawmakers does not mean that legal teams can or should take a patient approach to managing privacy.
‘Data protection – both the privacy and security aspects of it – is quickly becoming a risk management function rather than a technological challenge’, says Benegas. ‘Gone are the days when only the chief technology officer needed to know or care about the issues. Nowadays, all levels and functions within a company need to know and be prepared.’
‘GCs and corporate counsel will play a pivotal role in helping shape the response to this challenge, not only because risk management is part of the job description but because of the broad view legal teams have into company operations, from human resources to vendor management to customer contracts.’
Ann Cavoukian, former Information and Privacy Commissioner for the Canadian province of Ontario and originator of the concept of privacy by design, which was subsequently incorporated in GDPR, also advocates a proactive stance when it comes to data privacy in the c-suite.
‘In these times of legal limbo, I always encourage companies to get a certification. First, it builds trust and business relationships, which has been lacking for a long time. Second, it increases the quality of the information they collect.’
‘There is no inherent tension between granting privacy and exploiting economic value when it comes to data. You can capitalise on data but strip it of all personal identifiers. One of the seven foundational principles I established with my privacy by design approach is to abandon the zero-sum models, where it is either-or or win-lose. There should not be a conflict between business interest and privacy. We should be aiming to satisfy both.’
My route into legal services has been a slightly unusual one. I did not graduate from a legal program and spent the better part of my career as HR Immigration Manager at Boston Consulting Group (BCG). However, as a business studies graduate I have always worked adjacent to law, and when the chance to transition into an operations role came up I grabbed it.
In my previous role at BCG, I had worked closely with Antonia Peabody. In 2017 she launched what is now BCG’s legal strategy and operations group and it was always my intention to follow her. I had been tangentially working in the legal field, the issues thrown up by legal departments interested me a lot, and in my role as immigration manager I had started to work more and more on designing processes and building out strategy. That made the move to legal operations (legal ops) seem like a natural fit for me.
In some ways it is an unusual background, but I feel the most successful ops functions bring together a diverse talent pool. A nontraditional legal background allows you to examine how the legal function works with fresh eyes, and to bring a perspective that may be different from that of a lawyer. Besides, our philosophy in the BCG legal strategy and operations group is that if you put talented people into a role, they will contribute to your strengths.
The legal strategy and operations group was formed at an inflection point for BCG. We were acquiring businesses, branching out into new businesses, and our digital business lines were taking off. A lot of exciting change and growth was taking place, but when you’re facing that sort of growth there is a risk that different teams will end working in silos. The question we faced was how to create a group that could support the strategy we needed to move forward as a coherent organisation while also putting in place the operations needed to be successful across many different dimensions.
A big part of my role is focused on enhancing our contract management database. We have an entire sub-team dedicated to the day-to-day side of managing our contracts, but as ops professionals we look at the longer-term strategy and ask how existing practices can be modified to help our senior leaders manage the full contract cycle process.
There is of course a legal component to this work, it presupposes a high degree of familiar with legal terminology and processes, but in essence it is about taking a practical challenge, breaking it into its component parts, and distilling it down to something that can be communicated to senior leaders, both internally and externally. It’s about driving change, orchestrating communications and continuous improvement. To do that well you need a clear vision and purpose, and it always starts with a “why?”.
Having a purpose-driven process is particularly important when it comes to the in-house function. It can be tough for legal teams to do this. They can be vast, and they are involved in so many different things from employment to litigation to everything else. In spite of that, and perhaps even more so because of that, it’s helpful to ask yourself the question of what you are trying to do as a function and why you are trying to do it.
The temptation for a lot of in-house teams is to set things up in a very transactional way that looks to a large extent like the model of an internal law firm. That is not really the best structure, and it doesn’t give the best results. Legal should not let itself become a dumping ground – it overburdens the lawyers and takes away from what the function can deliver to the business.
Setting up things in a way that lets you extract data and make data-driven decisions is essential to this. With our contract management platform, we track everything: how many contracts are going in; what the adoption rate of the platform is among senior staff; whether it is being used properly; how aggressively we are pushing back on certain contracting terms; the risk profile of a class of contracts, how practical we are in our terms.
This is giving us new and incredibly useful insights into the work the legal team does, how it intersects with other functions in the business, the expectations and needs of our end-users, and where the bottlenecks in the process might be. From a legal ops perspective, however, we always try to keep in mind that while technology can play a big part here, technology itself should not be the goal. The goal is being able to structure decisions and processes in a way that is based on data and numbers.
I was almost a unicorn when I first started working in legal operations 20 years ago. The concept of operations, though well-defined in other business functions, was not well understood among legal counsel. Only the largest and most sophisticated legal departments were using e-billing products or matter management, and only the most far-sighted GCs thought of their function as a set of systems and processes that could be improved by careful design.
Today, there are armies of people working in legal ops, supporting GCs in their attempts to improve the efficiency and effectiveness of the legal function. A big reason for that shift is that legal teams have come under increasing pressure to constrain costs and avoid unnecessary expenditure. Improving efficiency has become a second mandate of the GC role, one that sits alongside managing purely legal matters on the list of priorities for business. And so, inevitably, legal ops professionals have entered North American corporate legal functions, tasked with finding the latest and greatest things in the marketplace that can help improve processes.
The rise of legal ops has been accompanied by a rise in legal technology. The increasing sophistication of legal technology means that data is now starting to speak to us and reveal patterns that were previously hidden. For example, by leveraging data and information from billing systems, legal teams are better able to understand the inefficiencies in a process.
The marketplace for legal tech has matured and evolved so rapidly that it is becoming all but impossible for busy general counsel to keep up with developments. Covid has been a huge catalyst, increasing the speed with which we are moving into a virtual workplace, but the wind was already in the sails of the innovators, driving greater choice and competition in the space. What all of this means for corporate legal departments is far less clear, but there are some clear trends we can identify.
The changing relationship between clients and law firms has been spoken about at length, but the significance of this change is still not widely understood. It feels as if there is a revolution taking place in the legal services industry, but the evidence for this is not appearing where many expected to find it.
While there has been a general tendency among businesses to shrink their pool of external firms, the impact of this has played to the advantage of many of the market’s most dominant players. In a typical panel only a small number of firms are ever likely to be deemed key strategic partners. While it is true that corporate legal departments are paring down their panels and moving more of their strategic work to a smaller constituency of firms, the firms that survive are the ones that have historically handled big class actions or M&A deals on behalf of a client.
These firms have reached that almost utopian state where price is rarely an issue. Clients are not going to nickel and dime them on invoices because they are deemed to be delivering true value. When it comes to appointing these firms, particularly on bet-the-company matters, the board of directors is standing behind their GC. In short, there is absolutely no evidence that the traditional elite will be disrupted anytime soon.
The mid-tier law firm space is perhaps more interesting. Clearly, these firms have been hit hard by disruption to the market: competitive pricing has become extremely challenging in a market where transactional work has either abated or moved to alternative providers. Meeting growing client expectations around information security is also much more challenging for smaller firms, particularly as concerns over cyber risk and handling of information have come into the limelight recently. This alone could lead to a firm being delisted from a panel.
At the same time, these smaller firms have the potential to be more agile. They can be more receptive to new ways of working, which is an advantage in a world where clients want to collaborate with and learn from their providers. It can be easier to form that sort of chemistry with a smaller firm.
There is a greater awareness, certainly among legal ops, that a firm is more than its partners. We want to know who works on project management. All people bring value to the organisation, and as much as we like and respect managing partners, we also now want to know the wider firm. It’s a very much a symbiotic relationship, which is exactly how it should be. Like any relationship, both sides need to put in the effort to make it work, but the rewards can be hugely beneficial for both sides.
‘This engagement of the workforce and management as the hands and feet of the response plan turn the plan from a piece of paper into what it needs to be – the means by which the organisation can respond quickly to incidents to prevent them from turning into a data breach or other harmful cyberattack.’
