The role of in-house lawyers in managing risk and protecting reputation | IHL 2018
Published on 16th Dec 2018
It's 4 pm on a Friday when the email lands in the inboxes of Oh See's in-house legal team. There's been a suspected data breach, involving 100,000 customers, which may have resulted in personal data including customers' email addresses, home addresses and hashed passwords being compromised.
The incident seems to be related to a new AI-based smart procurement system that Oh See has recently purchased. Oh See's must-have Augmented Reality devices have been flying off the shelves in the run up to Christmas, but if this came out, it could cause major damage.
Two questions immediately occur to the in-house lawyer:
- Has the clock started ticking on the 72 hour window for notifying the ICO that there has been a data breach?
- Do we need to inform all of our customers now?
This was the opening scenario in a case study running through Osborne Clarke's recent In-House Lawyer Day. Following the (fictitious) company's travails in the developing scenario, using our own AR-enabled materials, we explored some of the most pressing issues for in-house lawyers in managing risk and protecting their business's reputation, including:
- Data security and privacy;
- Business transparency;
- Digital transformation and risk;
- How to leverage a crisis to drive compliance across the business; and
- Corporate venturing – how to successfully invest in (and exit) innovation through corporate ventures.
Data security: what to do when there has been an incident
Since the GDPR came into force on 25 May 2018, Osborne Clarke has been working with many businesses who have found themselves in Oh See's position, and the answers to the questions around breach reporting are never straightforward. In our case study, the first thing to recognise is that at the point that in-house legal get involved, it is a "suspected" data breach (in fact, care should be taken around use of the term "data breach", which can be pejorative and often not helpful). More work may be needed to establish whether there has actually been a breach and if so, the extent to which personal data may have been exfiltrated – although the latter is not a precondition to the incident being notifiable to ICO, mere access by a third party may be enough.
In determining the potential harm to customers, the legal team needs to understand what could potentially be done with any data that has been taken. The fields of information may not on their own be enough to enable a hacker to gain access to online banking or undertake fraudulent transactions – but if the information could be combined with other information hacked from other sources, or if the hashing of the passwords is not sufficiently secure, this could drastically increase the risk profile.
In this session, we also explored trends that we have been seeing since 25 May 2018 – including a rise in contentious data subject access requests and speculative claims following any data incident – and how to mitigate those risks.
To help businesses to prepare and respond to this sort of incident, Osborne Clarke has recently launched a dedicated Cyber365 risk mitigation and response solution. To find out more about Cyber365, watch the video above or click here.
Business transparency: where risk meets reputation
While Oh See's initial concern was around customer data, the security incident also led to the release of data from its procurement systems. Investigative journalists delve into the supply chain and uncover poor labour practices in the factories of one of the component manufacturers – leading to adverse headlines and some uncomfortable questions for the business.
We explored how business transparency obligations are aimed at changing corporate behaviour by exposing them to pressure from customers and civil society, but also from investors (who are increasingly looking to ensure they are investing ethically) and from public authorities, through their public procurement processes. We also looked at the practical steps that businesses can take to ensure they are able to manage the risks posed by reporting obligations, adapt to new obligations and find the business benefits for them.
72% of in-house lawyers said that they could foresee a business transparency disclosure creating a risk for their business.
We were delighted to be joined in this session by two external speakers:
- Carrie Brassley from Unseen UK – who explained the work that Unseen is doing to combat modern slavery and why this is an issues that should be on the radar for all businesses; and
- Dr Zara Nanu, founder and CEO of GapSquare – who highlighted how data science and analytics can be used to help businesses to understand what they can do to improve diversity and, alongside Osborne Clarke's Leanne Coates, discussed some of the common issues and trends that GapSquare have being seeing.
For more Insights on business transparency, see our dedicated business transparency Insights page.
Digital transformation and risk
As the fallout from the data incident continues, the Board is coming under scrutiny in the run up to Oh See's AGM. What did they know about what had been going on and how well had they appreciated Oh See's cyber risk profile?
With the average cost of a cyber breach globally being £3 million, investors are increasingly considering cyber security a key operational and financial risk that must be considered by the Board. Guidance on the UK Corporate Governance Code, which applies to premium-listed companies and companies that voluntarily choose to comply with it, makes it clear that the Board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives. At least one major investor group has said that it expects directors to be able to have a sensible conversation about the business's cyber security arrangements.
Those arrangements need to take into account the business's wider supply chain, since the cyber strength of any organisation is only as strong as the weakest link in the supply chain that it relies upon. Due diligence on suppliers' cyber security policies and systems is an essential part of managing risk, but to do so effectively, businesses need to first understand the flow of data (not just personal data, but also IP, confidential information and other operational data) and where the main risk areas are in the chain, so that efforts can be concentrated there.
Effective management of supply chain cyber risk is also dependent on having contractual protections, including minimum security requirements and audit rights. But those security requirements should be sensible and proportionate to the risk, and audit rights need to be exercised in practice in order to provide protection.
Businesses such as Oh See that produce connected consumer products should also take into account the cyber risks to consumers that those devices present. The Department for Culture, Media and Sport has recently produced a "Secure by Design" Code of Practice for manufacturers of consumer IoT products. It sets out guidelines such as not allowing default passwords or keeping the software updated. While the Code is not strictly mandatory, it represents industry best practice and as such, if something were to go wrong, a court or regulator would expect manufacturers to have complied with it.
Our In-House Lawyer Day 2018 continued with breakout sessions, covering: corporate venturing, with a focus on the legal issues involved in investing in, and exiting, innovative start-ups; and leveraging a crisis to drive compliance across the business.
Takeaways for in-house lawyers
In-house lawyers have a vital role in managing an increasingly diverse array of legal, regulatory and reputational risks for businesses. Digital transformation is changing the way that businesses work and the services they provide, but that transformation can introduce significant risks; not only cyber-related but also more traditional risks associated with business change. The legal team can be instrumental in ensuring not only that the appropriate DD and contractual protections are in place, but also that the Board has a good appreciation of the risk profile and the businesses has robust, road-tested plans for managing the fallout should anything go wrong.
The regulatory environment is also changing to meet the digital age. The use of business transparency as a tool for change is driven by factors including the increasing relative value of brand and reputation, the importance of ethical values to stakeholders such as investors and the workforce, and the continued globalisation of businesses. The challenge for legal and compliance teams is to work with the business to embed not only systems and procedures, but more fundamentally a culture of compliance and transparency. Those who get it right can not only reduce legal and reputational risk, but can also drive efficiencies and enhance brand value and stakeholder engagement.
To discuss how Osborne Clarke can help your business through digital transformation, or develop your compliance and risk mitigation function – or if you are interested in attending future events, please contact one of the experts listed below or your usual Osborne Clarke contact.