This article first appeared in the ABA Journal on the 8th of May 2018 and is republished here with its kind permission.
In what we are calling the Cyber Century, the first signs of danger appear on a screen; a hack, a viral video, a tweet. Any of these can be the opening shot of a bruising battle that can quickly escalate to a crisis.
As general counsel, are you ready to face these challenges?
Recent news events and studies demand that as digital threats loom large, general counsels must shrug off old rules of engagement that had them focused on more traditional (less digital) issues. If not, they leave companies vulnerable to unpleasant surprises that could have dire and long-lasting consequences.
Most GCs are rapidly shifting their priorities to keep pace with the digital times. The Association of Corporate Counsel’s Chief Legal Officers 2018 Survey asked chief legal officers: “What issues keep you up at night?” Data breaches moved into the No. 2 position (up from third in the 2016 survey). While regulatory issues continued to hold the top spot, chief corporate attorneys said many of these new regulations dealt with data privacy. Fear of a cyberattack is on the rise, the survey revealed, with more than one-quarter saying their company had been the victim of a data breach in the last two years, versus 22 percent who had reported a recent breach in the 2016 survey.
Meanwhile, news of digital danger only seems to get worse. In March, Equifax again raised the estimate of consumers affected by its data breach suffered in 2017. The initial estimate was put at 143 million, but it’s since been raised to 145.5 million and now 147.9 million.
What’s more, the challenges presented go beyond stolen data. Disruptors such as Netflix, Amazon and Uber threaten to dethrone industry giants, and uncharted situations caused by new cloud computing law and self-driving car regulations can stymie even the most pedigreed of lawyers.
The pace of change is accelerating. If you were hired for your legal experience and business acumen, now you need an additional skill set to face the Cyber Century—one that embraces technology and puts the company out in front of digital danger.
WHAT SKILLS DO YOU NEED TO BE TODAY’S GC?
1. Have knowledge of leading-edge technological tools and progress. And show a willingness to use it. Too often, lawyers are behind the curve when it comes to adopting the new technology and security techniques. Dated mainframes, for example, are a prime target for hackers. In 2014, according to a Reuters news story, three Chinese nationals posed as information technology company employees to digitally infiltrate the servers of an unnamed law firm, stealing financial documents that allowed them to make $4 million from insider trading before they were caught by the authorities.
You must be able to understand the developments in new technology and advise your company on how to move forward, both legally and ethically. Google’s GC Kent Walker provides a good example. In a 2016 interview with Stanford Lawyer Magazine, he tells of the many technological concerns he faces each and every day. When Google Search launched, there were questions if it would even be legal to query documents online. When Google Books came online, copyright hawks cried foul. But Mr. Walker applied an innovative approach:
“A traditional legal answer [to the previous questions] might be ‘Well, let me look up what the law says about it.’ My answer is usually more like ‘You tell me whether it’ll be socially valuable and I’ll tell you if it’ll be legal.’”
2. Have the ability to navigate the new era of reputational risk. In the past, GCs dealt with reputational risks at the speed of fax. If an incident arose, it was shut down by sending off a “cease and desist” to a newspaper and another to the evening news. In the Cyber Century, every person with a smartphone is a reporter and it only takes seconds for an incident to go viral and stay there.
In September 2016, CNN Money reported that Wells Fargo—the most valuable bank in America by market share at the time—had opened over 1.5 million unauthorized deposit accounts and submitted applications for over 500,000 unapproved credit card accounts since 2011. Though they were fined $185 million by the Consumer Financial Protection Bureau and their CEO lost his job, the reputational damage continued to spread, in no small part via social media. (More recently, the bank was fined $1 billion for overcharging its mortgage and auto-loan customers.)
Don’t stay on the sidelines. Be engaged in the proactive defense of your company’s reputation. This means that instead of trying to rally the troops after the fact, instead be the change leaders. Hold regular tabletop exercises to simulate different crisis situations and speak up when ethics and integrity seem to be taking a back seat to questionable business tactics. To use a Titanic metaphor, don’t just teach people how to use lifeboats, actively watch for icebergs.
3. Develop a capacity for crisis management. Be a student of all manner of threats and how to counteract them. Conduct boardroom drills, such as one in which the GC walks the C-suite through a simulated cyberattack. Study threats other companies are facing and how best to counteract them. What is a disastrous PR move for one company can be an immeasurably useful case study for another.
Finally, focus on learning from the past mistakes of your own company. The public can forgive a corporation blindsided by a massive attack. But when it happens a second, third, even fourth time, they are far less understanding.
Consider the case of Sony Pictures. In response to online piracy, according to an article in Fortune, Sony declared its “war on hackers” in 2011, but the Japanese giant failed to realize the risks of targeting such a group. Hackers responded with a cyberattack that published the credit card records of 10 million customers. Third-party cybersecurity experts laid a portion of the blame on Sony itself, concluding that the company had “shoddy IT practices, including a failure to install security updates.”
It’s after this attack that a true Cyber Century GC would have had the chance to shine. They could have stepped in to analyze the attack, provided reports on risks that could be mitigated going forward, and based new practice scenarios on the real-world events.
Unfortunately for Sony, none of this happened. Sony as a whole had 20 cyberbreaches in the 2011 calendar year.
4. Gain internal and external collaboration abilities. Don’t wait until called for counsel, but instead create lines of communication between legal and other aspects of the company and external stakeholders—particularly regulators—as they contend with a dynamic landscape. As new inventions and services emerge, regulation will follow, but there is often considerable lag time. That means you will need to communicate with all segments of your business to understand what’s being developed internally and think ahead to the regulatory issues that may arise down the line.
Ultimately, as a GC, you must be willing and able to take a leadership role in cyber conflicts. Digital transformation has affected every role in the company, and GCs are no exception. Take the initiative to evaluate your readiness to face technology-inspired challenges. Do it now. Or this Cyber Century will surely deliver a trial by fire to do it for you.