Follow ACC Docket Online:  

A Role of its Own: The Importance of Protecting a Company’s Knowledge Assets

L et’s face it: The world as we know it is changing. Our phones double as computers, our company’s most confidential information is now stored on the mysterious “cloud,” and our ability to work from the comfort of our own homes is easier than ever. It’s hard to argue that the future of the modern legal department isn’t leaning digital — you would be hard-pressed to find a lawyer who believed the contrary. While this technological overhaul has brought about distinct advantages, it has also ushered in a new wave of security considerations that have made legal departments everywhere shout one word: cybersecurity.

In the ACC Docket September cover story “Cover Your Assets,” authors K Royal, director at TrustARC, and Margaret Gloeckle, vice president, privacy and compliance counsel at A+E, outline the impact of the digital age on the ability to protect a company’s most sensitive information. And with 23 percent of CLO respondents to the ACC Chief Legal Officers 2017 Survey stating that their company experienced a data breach over the past two years, knowledge asset protection is mission critical.

kroyal

“Knowledge assets are the lifeblood of a company,” says Royal. “Unfortunately, ‘breach’ is a concept that both consumers and executives are tired of hearing. However that does not lessen the real threat.”

 


MaggieHeadshot

 

“At the end of the day, it is team effort across all parts of the organization to protect an organization,” Gloeckle agrees.

 


Below, Royal and Gloeckle deconstruct the latest in ACC research to make the business case for knowledge asset protection and discuss preventative strategies for how to expect the unexpected.


Cost of remediate

In their September cover story, Royal and Gloeckle argue that after a beach of knowledge assets, a company incurs substantial losses to its brand and reputation. Remediation efforts, however, can come at a hefty price. According to a report entitled The Cybersecurity Risk to Knowledge Assets, respondents noted that over the last 12 months, the average cost to remediate a knowledge asset attack ranged anywhere from US$5.5 million to US$270 million.

“The news often talks about the damage to companies from personal data breaches. Those damages are generally from the costs to resolve the potential or actual harm to individuals and the reputational cost — as well as brand damage to the business. And frankly, those damages can bankrupt a company,” Royal explains.

To mitigate risk, educating the board of directors on the possible impact of a knowledge asset breach — especially as it pertains to budget, reputation, and liability — can be an essential step toward receiving future support. Attaining top-down approval for cybersecurity initiatives is the first line of defense against hefty fines and bad publicity.

“Despite the cost of recover and remediation efforts, most boards of directors are not informed of the steps taken to secure knowledge assets. More alarmingly, less than one-quarter of boards are made aware of breaches involving the loss or theft of knowledge assets. A board’s responsibility to understand and address risk on the cybersecurity front is a well-known and often bemoaned aspect of corporate governance,” Royal and Gloeckle write in the article.

Keyword: Cyber 

Although there is still progress to be made, legal departments around the world are beginning to see the benefit to implementing large-scale cybersecurity practices into day-to-day operations. According to the ACC Foundation: State of Cybersecurity Report, 59 percent of respondents expect that their law department’s role in cybersecurity initiatives will increase in the coming years. As front-page events like the WannaCry virus and the Yahoo data breach foreshadow the grim consequences of ignoring cybersecurity initiatives, privacy counsel are increasingly finding a voice within the organization to ensure protection.

“Attorneys who work in privacy have a role unlike other attorneys in the department. These attorneys stand for protecting the individuals’ whose data the company collects. This calls for a different mindset and outlook,” Royal states.

When drafting a protection plan, in-house counsel should institute a multi-faceted approach within the organization — one in which each department is individually responsible for spotting and triaging red flags before substantial losses are incurred. To Royal and Gloeckle, this will require active involvement from both the legal and non-legal parts of the company to stay informed about internal privacy protocol.

“Combining the yin and the yang of the law department will unite the rest of the company through a holistic and consistent approach to protection. No one has anything to lose with such a deliberate and considered path to data protection,” Royal argues.

Step by step

While implementing company-wide data protection policy is an effective first-step to accomplishing the main objectives of any knowledge asset management plan, specific processes must also be instituted to ensure success. According to the Global Perspectives: ACC In-house Trends Report, 35 percent of respondents noted that they intend to conduct mandatory breach training within the next 12 months. In addition, 17 percent of respondents note that the plan on retaining outside counsel in the case of a breach.

Given the high-level risk that a knowledge asset breach presents to an organization, implementing a one-size-fits-all approach to data security is not a sufficient practice. In their September article, Gloeckle and Royal underscore that grand objectives need to be broken down into tangible tasks that can be implemented by anyone in the organization.

“Addressing these issues will not be easy for companies — one cannot merely go hire an expert; it is estimated that there are over a million unfilled cybersecurity and information security positions globally. Thus, companies are forced to take alternate measures to reduce the burden, such as using cloud providers, outsourcing security positions, and cross-training talented IT personnel. And yet, the threat remains,” the article states.

Thinking international

In-house counsel are expected to have eyes on everything, regardless of the size and scope of their company. And in an age where companies are increasingly expanding across the globe — with third parties and outside counsel operating in jurisdictions outside the bounds of company headquarters — the threat to knowledge assets has never been more pertinent. According to the ACC Chief Legal Officers 2017 Survey, 33 percent of respondents in the Asia Pacific region reported experiencing a data breach over the last two years — as opposed to the 23 percent global average. To Royal, these values seem conservative.  

“Both of these numbers are low. Like healthcare professionals, attorneys must maintain a high degree of skepticism and pay attention to all openings for a potential breach. Does it sound as if I support paranoia amount attorneys? Yes I do,” she explains.

For multinational companies, nation-state attacks and third party liability are not to be overlooked. To prevent expansion from leading to inefficiency, develop a risk-based approach and take all possible steps to protect against the worst-case scenario.

Pathway to success

Looking to the future, don’t expect the conversation surrounding knowledge assets to slow down anytime soon. With rapid advancements in connectivity, access, and development, the hacking technology of today will pale in comparison to those of tomorrow. However, with acute attention from the legal department, in-house counsel can harness this momentum to remain ahead of an ever-changing curve. Both Gloeckle and Royal argue that this is an essential step to ensuring the longevity of the company.

“Given that these breaches destroy companies and/or revenue streams, it is not sensational enough to bring attention to it on a broader level. Thus, in-house attorneys must build a solid reputation as a professional and earn the respect of the company. He/she must be seen as a trusted partner,” Royal states.

To learn more about the knowledge assets, read K Royal and Margaret Gloeckle’s September ACC Docket feature article “Cover Your Assets."

About the Author

Matthew Sullivan is the editorial coordinator for the Association of Corporate Counsel.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.