Awareness of cyber risk is increasingly catching the attention of boards of directors and senior executives. For Electronic Transaction Consultants (ETC), cybersecurity has been a top risk priority for a long time. As a leading provider of smart mobility solutions, including electronic tolling solutions, we manage back-office systems and roadside systems for many prominent state tollways. That means we are dealing with personally identifiable information, payment data and a range of other sensitive data that we need to keep secure.

Regardless of the sector a business operates in, I would argue that cybersecurity is now a primary risk. The frequency of attacks and the aggressiveness and skill of the threat actors perpetrating them has grown exponentially. Threat actors are hitting ever larger targets, and the widespread use of cryptocurrency has aided the ability of threat actors to obtain money. In the absence of national or global legislation that restricts the ability of companies to pay ransom, threat actors will always be able to find an opportunity. But it is worth remembering that most of this crime is opportunistic. From the threat actors’ perspective, cybercrime is a business – potentially a very lucrative one. For general counsel, reducing these opportunities is essential.

It behooves any GC to understand what protections they have in place and to test whether they are adequate in the current threat environment. Lawyers may not feel cutout for this, but their ability to spot gaps in a defence strategy – even if only at a conceptual level – is often hugely important. Fortunately, many of the most effective steps an organisation can take do not rely on a high degree of technical familiarity with IT systems.

There are steps that organisations can take to enhance their cybersecurity regime, including using Endpoint Protection, implementing remote monitoring, tracking and remediation. Updating remote access protection, installing virtual firewalls and multi-factor authorisation are all very important as well. Of course, you don’t want to stop your company doing business, so even with things like multi-factor authentication you need to think about how often it is required and whether it needs to cover every device or network.

In a hybrid or work-from-home environment this is especially important. Again, there are simple tools that can make a big difference. Office 365 Advanced Threat Protection helps to detect and block potentially malicious files from entering document libraries or team sites, or locking the file and preventing anyone from accessing it once it’s been identified as malicious. Also, these files are included in a list of quarantined items, so members of the security team can download, release, report or delete them from the system.

The other element that GCs must keep in mind is training, whether for their own team or the organisation more broadly. First, regular training is essential. If you only train once a year [the message] loses its impact and offers minimal protection. The form of the training is also important, and it pays to get creative. There are services available that do mock attacks with a fake phishing email sent around, and then if someone clicks on the link in error, they must take a remediation course and will ideally not make the same mistake again.

Of course, even the best protections and training cannot prevent a cyber incident from occurring, and having a robust response plan is essential to any cyber risk framework. A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry, and you should have a cyber response committee within the company. Everyone on this should know they’re on the team and know exactly what to do when an attack occurs. That response plan should be periodically tested in a mock attack, so it becomes part of the team’s muscle memory.

Cyber rigor, like any other part of a company’s overhead, can be seen as a non-essential cost. It is not. If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. A cyber incident is already an event requiring an 8k event form be filled out within three days, but it is increasingly becoming a potentially catastrophic reputational risk.

Ask yourself: Do you want this on the front page of the Wall Street Journal, New York Times or the Washington Post? Do you want to have to answer to your board of directors, or to the securities regulators or to the investors or to the general public? If not, then taking the risk seriously now is the best defence.

From all of us here at World Services Group, it is my pleasure to welcome you to the fourth edition in our series of GC Special Reports, examining the impact and influence that technology continues to have on legal practice.

The past two years have seen the legal profession impacted by technology more than any other period in history, a fact of course driven not by a single seismic innovation, but rather by necessity. And by all accounts – as the pages that follow in this report detail – both in-house and private practice teams alike have thrived, as our collective work environments, habits and processes have shifted, in almost every case, literally overnight.

But amongst the litany of success stories that have emerged, so too did several material challenges faced by businesses as a direct result of these shifts in our professional lives – challenges that are sure to shape the face of the profession for years to come. Data privacy, protection and integrity, cybersecurity, as well as of course, specialist legal technology, are near-universal issues faced by enterprises – and more specifically – their legal departments.

As corporate leaders, general counsel and their teams will be on the front lines during this transition, charged with both setting the rules of engagement for their business and guiding the wider organisation throughout a period that is likely to be characterised as much for its upheaval as it is for the evolution it represents.

At World Services Group, our membership have made it clear that they not only want to be a part of this change – they want to be in a position to lead it. Collectively, we strive to be part of the solution to the issues facing our industry and profession at large and together, we have an opportunity to affect positive change for the profession as a whole.

With an international mandate and broad sectoral representation at World Services Group – in addition to a forward-looking digital prospectus – our network is in an ideal position to capitalise on the bold digital transformation set to define what it means to be a successful legal department in this new digital age.

I would like to extend my sincere thanks to all of those in the legal community who continue to contribute to the ongoing success of this series. By sharing the benefit of your own experiences and actively engaging in discourse around these pertinent issues for the wider profession, collectively, we can chart a brighter future for the lawyers of today and tomorrow.

Ramon Ignacio Moyano
Chairman
World Services Group

Partner
Beccar Varela

Apple, Amazon, Facebook, Google, Microsoft, Netflix – the last year and a half has been hard, but without these familiar names it would have been unthinkable.

Ever since Bill Hewlett and David Packard founded HP in a Palo Alto garage in 1937, the young and tech-smart have been engines of economic growth across the US. Pandemic aside, the S&P 500 is surging at an all-time high, with companies in the tech sector proving to be the safest bet.
Five of the above listed companies alone – Apple, Amazon, Facebook, Microsoft and Google-parent Alphabet – already represent over 20% of the S&P 500’s total market cap. With the pandemic-induced shift to e-commerce and remote working, it is a trend that is unlikely to end any time soon.

Surely in the US, with an economy skewed heavily toward innovation and a premium placed on doing things better, faster and smarter, the lawyers must be doing things differently? Well, not quite. For all the talk of a quiet revolution taking place in the corporate legal teams of US and Canadian blue chips, the reality is much more complicated.

To make sense of it all, GC magazine teamed up with World Services Group to get the inside story on legal tech in North America. Drawing on a detailed survey of over 200 general and senior counsel working at a variety of companies across both the US and Canada – including many of the global leaders in their sectors – our findings show that tech has not been quite the disrupter many predicted. Yet…

Stacking it up

In spite of the advantages legal teams in the US and Canada have when it comes to the availability of legal tech, many feel they are no further ahead in their adoption of new ways of working.

Fewer than half of respondents to our survey (46%) felt that their teams were in a good place to capitalise on technology compared to their peers. Even more surprisingly, legal teams in the tech sector were just as likely to struggle as those in other industries. Just under two thirds (60%) of respondents working for technology businesses felt confident that they benchmarked favourably in their use of legal tech. In fact, across all the sectors surveyed, those employed in the tech industry (broadly defined) were among the least likely to feel that their use of technology was adequate.

Of course, they were also the most likely to be aware of the technological shortcomings of the legal team. As Liz Benegas, GC of enterprise management software provider Totango, comments:

‘When you’re in an environment that really pushes technology as a solution to business problems, you can find yourself asking a lot more questions about how you approach your own work. That can lead to a lot of new ideas, but it also puts you under pressure to bring your “A” game to everything you do.’
Another respondent, senior counsel at a global technology business, gave an even simpler answer: change is hard, particularly when it comes to tech.
‘[Our company] is generally seen to be at the forefront when it comes to bringing tech to market, and I would say we are way ahead of the curve in terms of our own use [within the legal team].

But still, large parts of what we do are built onto a tech stack that has been around for years. When we look to introduce a new contracting system or cloud-based technology we can’t just assume it will work well with what we have in place. I would imagine these problems only increase when you’ve got an older or more complicated stack to deal with.’

Plus ça change

For many general counsel the first year of working in-house comes as an epiphany. The experience of working at a law firm had shown them a world where partners and associates – often some of the most capable, knowledgeable and dedicated people they had ever known – were forced to work in an environment that either did not seem to support them or that actively worked against them by making highly-qualified people undertake work in an absurdly inefficient fashion. After making the move in-house, the realisation comes: “It’s not the law firms, it’s the lawyers”.

The average GC continues to have the same worries that their team is behaving in an inefficient or technologically unsophisticated way. The central problem, as one senior counsel at a global entertainment and media company observed, is how to continue to deliver value while eliminating bottlenecks. ‘Lawyers will not be replaced by technology, just as doctors will not be replaced by technology. The problem we must solve is how we get rid of bad habits while retaining the good ones. That is something we are only just starting to find answers to.’

The problem with technology, respondents to our survey agreed, is not having too little of it. It is having too many resources that are not used properly. Legal teams in North America are, for the most part, able to access the tools and systems they want. In fact, nearly all of those we surveyed (97%) reported that their legal functions were using more technology now compared to five years ago, with well over half (58%) saying they were using significantly more tech.

But having access to technology is only ever a partial solution to the problem of efficiency. Knowing what to do with it is just as important, and it is often not within the skillset of GCs to make sure a department is joined up when it comes to its use of technology.

Our survey shows North America’s in-house lawyers are less worried about technology than they are about their profession’s ability to use it effectively. Fewer than half (48%) of those polled said they were confident in their team’s ability to harness tech effectively.

Positive externalities

If anything is likely to push legal teams to adopt technology, it will be a global pandemic that has forced large numbers of businesses to shift to remote work. The first challenge for many legal teams when the call to work from home was issued was the realisation that existing ways of tracking and managing work were no longer going to cut it. Knowing what the team is doing can be relatively simple when most of its members are sitting in the same office. Asking, “What are you busy with right now?” over Zoom is not entirely practical.

While it is no surprise to see that 67% of those surveyed said their businesses had ramped up investments in tech as a result of the pandemic, the direct – and, many suspect, lasting – change this has had on the way legal teams handle work is something that caught a number of respondents off guard.

Nearly four fifths (78%) of respondents reported making greater use of technologies such as Zoom and Teams to keep their departments functioning during lockdown, while nearly half (48%) had moved their work onto platforms shared with the rest of the business to make handling matters more effective.

‘What Covid really did’, comments one general counsel for a medium-sized US software company, ‘was shine a light on how poorly aligned a lot of departments were across the business. It forced us to move from a situation where everyone had developed their own practices and habits – either as a team or as an individual – to a situation where we all had to move in lockstep to keep the planes from falling out the sky.’

But finding new ways to manage workflows is only the start of it. When nobody can leave their house, getting documents signed is a problem. Except it is not. As many legal teams have come to realise, the problem was relying on ways of thinking and acting that had already outlived their utility.

By forcing teams to rethink the ways in which legal work is completed, Covid has given impetus to a far more radical transformation in the in-house legal function. Nearly a quarter (24%) of the teams surveyed said that they had already redesigned their processes to cope with lockdown, and the results have been positive. As one respondent, director and assistant general counsel for a US-headquartered multinational consumer goods corporation, put it: ‘Having to serve business remotely was probably the best thing that ever happened to us.’

‘With the call to “work from home where possible” we had to take a step back and think about what it actually means to support the various divisions of our business. That was a moment of crisis, but it was also a period of productive reflection.

Instead of automatically following the same steps each time without ever thinking about outcomes, we had to think about what the intended outcomes were and plot the best path to them. Sure, we still have to process sales requests, but do we need people to do it, or is there some better way of getting to the same point?’

Now, as many lawyers return to the office, there is a feeling that legal work will never be quite the same as before. As Michael Shour, GC and secretary for Banyan Software, comments, ‘Especially with the Covid pandemic, it just makes so much sense for a lot of this stuff to move online. Whether it’s sharing information with colleagues or signing documents, we have seen how easy it is to digitise this type of thing and it will be very difficult to unlearn those lessons and go back to the old ways of working.’

Since I joined PROS Holdings in late 2011, I have seen the company triple in size. Most of that growth happening during the last few years, so its fair to say we have been on an incredible upward trajectory.

PROS Holdings is an AI-based software business in the B2B space that optimises shopping and selling experiences. For example, we create the software that airlines use to price tickets. In a range of sectors and industries, we develop innovative software that services some of the largest companies in the world to deliver frictionless, personalised purchasing experiences designed to meet the real-time demands of today’s B2B and B2C omni-channel shoppers.

In 2015, we made the decision to pivot our on-premise software-based service to a subscription-based cloud software model. At that time, roughly two-thirds of our revenue came from licenses and professional services, so the move was a major change for our business model. Although not an easy transition, it was a necessary and successful move that secured a path to further growth.

As a result of this work, we were well positioned to work virtually using digital tools as a company, almost at the flip of a switch. Even so, when the pandemic hit the working culture of our organisation changed quite radically, and the legal department had to evolve at speed.

One important change was shifting the way legal interacted with business. When working in the office, it was common for people to swing past the legal department with their questions. In a virtual environment that opportunity does not exist, so it was something we had to adjust to very early. We were able to modify a service desk software system our company was already using and implement that for our legal team. Since people were already familiar with the programme it was very quick and easy to set up.

The results have been very positive, and it has certainly caused me to question why we didn’t think of doing something similar before. We have since built this out to handle all day-to-day legal matters. Now, instead of knocking on the legal team’s door, employees know where to submit their requests and how to track them in real time.

A secondary benefit of this approach is that it has given us metrics on the work we do. We can see who is working on a matter, the response time to the matter and we can easily review the volumes of work coming through. We can also scale by analysing the complexity of the work and the cycle time it takes to complete tasks. There have been a lot of benefits from adapting our processes.

The biggest advantage with going more digital is transparency. This system allows us to give great visibility into how matters are doing overall, and how they are being handled. It also allows us to see how much of what we are doing is actual legal work – as opposed to process work – and whether a matter can be handled more efficiently. This empowers our team to better delegate work and to focus on matters that require specific legal expertise.

Contract automation has also shortened the time it takes to put together standard agreements. We did some analysis and worked out that it takes a paralegal 20 to 30 minutes to put together a standard contract. If you take into account the volume of contracts the average business does, you realise pretty quickly that you will need a small army of people just to keep up with that side of things.

By automating standard company contracts we enabled commercial teams to assemble their own documents, injected a level of transparency into the process, and allowed the legal team to focus on more strategic questions and less on standard operational work. When it comes to contract work, being able to flag and address non-standard terms in real-time is the next frontier.

Just like the GPS in your car, I believe in the future we will be able to use relevant data signals to navigate legal matters using AI. I do not think this will happen broadly in the next couple of years, but certainly it may in the next decade.

Implementing these processes did not happen overnight, but the impact has been transformational. Compared to a few years ago, the quality and sophistication of the work we do today can be attributed to capacity created from the implementation of legal tech.

We now have systems in place that allow us to track the common questions we have dealt with in the past. This is truly empowering. It means legal advice is based on real data and gives us all the conviction that what we are doing is not only reasonable, but also marketable. For a support function, it is incredibly powerful to be able to assign a dollar amount to the contribution you’re making to the bottom line.

Just as importantly, it frees up our capacity as in-house counsel to focus more on other things, whether that be data privacy, compliance, ESG or D&I. Lawyers are more than contract jockeys and they can add value to many areas of a business. Technology is liberating lawyers and giving them a renewed purpose.

Despite all the clear advantages technological innovation provides, the legal profession as a whole has been slow to adapt. The next step will come when legal software providers move their offering to target in-house practitioners. This tends to be an area of the market that is receptive to new ways of working, and we are already seeing a shift in the focus of software vendors.

I have encountered many conservative professionals in my time who are averse to change. But, as with everything, the moment will come when the pain of staying still becomes greater than the pain of moving.  We are not far from seeing that tipping point as the pace of change continues to accelerate, and GCs as a group are increasingly aware of this.

This time, finally, it might be happening.

For at least a decade now lawyers have talked up the impending transformation of their industry, with technology set to play the lead role in a new and better way of doing things. Why would anyone think otherwise? The legal profession, as every GC will point out, is riddled with inefficiency. Clients are being asked to pay for things they do not need, and very expensive labour is routinely assigned to basic tasks.

But recognising the problem and identifying the solution are two very different things. While almost all GCs can give a long list of reasons why the profession should change and what it should look like, far fewer had a roadmap for how to get there. Until now.

‘There’s a movement afloat’, says Chris Young, general counsel of Ironclad. ‘For the first time ever in the history of the legal profession there is cutting-edge technology that allows us to do our jobs more effectively as lawyers. The whole profession is now waking up to what it can do differently, and it is in-house legal teams driving this change.’

But technology is only part of the picture. When it comes to understanding the changes taking place across corporate legal teams, the rise of legal operations (legal ops) is just as important. ‘For years every department at a major company has had its own ops function’, notes Young. ‘Marketing, engineering, sales – all of these departments have relied on operations professionals to keep them moving. Now we are seeing that in legal teams, and it is having a transformational impact on the way systems, processes, people and tech work together.’

Ashley Herring, global legal programme manager at BCG, is among the new breed of ops professionals working to improve legal teams. Identifying the purpose of the legal function, she says, is key to unlocking its potential.

‘The temptation for a lot of in-house teams is to set things up in a very transactional way that looks to a large extent like the model of an internal law firm. That is not really the best structure, and it doesn’t give the best results. Legal should not let itself become a dumping ground – it overburdens the lawyers and takes away from what the function can deliver to the business.

Setting up things in a way that lets you extract data and make data-driven decisions is essential to this. Technology can play a big part here but technology itself should not be the goal. The goal is being able to structure decisions and processes in a way that is based on data and numbers.’

In other words, technology is a tactic, not a strategy. While it can be a useful way of improving the legal function, it will only work if the function knows what it wants to accomplish. This, for many GCs, can be a difficult question to answer. But, for those that have given it thought, the possibilities are endless.

‘I want to be a data-driven lawyer and not just a lawyer who talks about data’, concludes Young. ‘With the tech that now exists I can look at our sales contracts historically and generate data that is of real predictive value. Finally, legal is beginning to function like any other department and use its data to accurately forecast what the quarter is going to look like.’

Identifying the ‘why’

To judge from the results of our survey, legal teams in North America are enthusiastic supporters of technology. Over half (51%) of those surveyed felt new technology would significantly enhance outcomes within the legal team, while 84% felt it would enhance outcomes to at least some extent.

The appetite for technology was just as apparent, with 58% of respondents saying they wanted to increase the use of technology within their legal team.

As ever, finding the budget for new tech was the biggest obstacle they faced, with 62% of teams citing this as a barrier to change. Over a quarter of legal teams (26%) said they wanted to introduce new technology but lacked the time to research available tools, while just 11% said they were unable to find a solution that met their needs.

However, a sizable number of corporate counsel (14%) felt they already used too much technology. As one respondent, general counsel at a Canadian energy company, noted, ‘Finding technology is not a problem. Making sure that technology is being used properly by everyone in the team is the issue. You can’t execute a tech transformation in a large team without having some form of discipline and training. You either all do it together or it doesn’t work. I am quite willing to admit I do not have the time or expertise to effectively oversee that sort of project.’

Even the most popular and successful forms of legal technology, such as contract management systems, found their critics. ‘Lawyers love contract management systems, but do they really test how they’re being used?’, asked one respondent. ‘Of course, if you’re a lawyer then you intuitively understand why a contract platform would be useful. Go speak to the sales team that has to use it and you will hear a different story. I have found that these things are not actually all that intuitive when they’re out in the wild.’

Still, when it comes to a show of hands the consensus is that corporate legal functions will change for good: 91% of those surveyed said they expected AI to be a disruptor in the legal industry, with nearly half (47%) saying they expect this disruption to be significant.

Inevitably, there will be push back. Any legal team over a certain size recognises that it needs a contract management system, but a solution that can flag risks or identify and extract terms is a different matter. For some, the unspoken message when advanced technology is introduced is ‘a machine can do your job, and it will be more reliable’. But, says Michael Shour of Banyan Software, the results lawyers can achieve with advanced tools mean widespread adoption is all but inevitable.

‘Recently, I trained an AI solution to help review a certain type of regularly occurring contract that was key to our business. It improved our response times and, I think, ultimately helped us win deals. It didn’t get rid of the lawyers; it gave us better and more accurate information and allowed us to handle the matter more effectively.

The use of this technology will continue to evolve and become more pervasive. Already, service-level agreements and the general sophistication of providers have improved considerably. It is incumbent on GCs and legal tech providers to at least try to keep up with these developments, even if doing so is not always easy.’

As ever, there will also be strong resistance from State Bars when it comes to innovative ways of delivering legal services. But as the legal profession reaches critical mass in its use of technology, regulation will have to follow suit. 

I have always been an early adopter of legal tech and have embraced new technology from very early in my career. Before joining BrightSign, I was a litigator in a commercial disputes and property team. I would often move between New York and Silicon Valley, the global centre for tech and innovation. It is no surprise that when I decided to shift my career to in-house, I was destined for the tech startup world.

I now lead legal operations at BrightSign, a global company that specialises in digital signage media players. Like many companies, BrightSign was hit hard by the pandemic. Fortunately, as an organisation we were very innovative and were able to pivot our business operations and create solutions. For example, many of our applications became touchless. We implemented QR codes and voice recognition technology to make our tech Covid safe. Although business has picked up again and we are able to revert to working with more traditional digital signage, touchless solutions will remain the way of the future.

In the last few years, I have seen an explosion of new legal tech apps that have made a positive impact on in-house legal departments. New technology has enabled general counsel to maximise efficiency whilst minimising costs, enabling general counsel to keep legal teams lean.

At BrightSign, we use a range of legal technology to improve our own legal operations. We have embraced applications such as DocuSign, Box and other contract management tools. Before lockdown, I had made it a priority to digitalise and organise all contracts by storing them in the cloud. This made the transition to home working very smooth for everyone.

Legal tech has come a long way. In just two years, it has undergone a transformation in utility.

It is amazing how efficient our legal operations have become with the introduction of the right type of technology. For instance, by storing documents in the cloud team members are no longer bogged down in finding or filing legal documents. If you need to share a document, you do not even need to email it. You can just send a link and if you no longer want them to have that contract, you can disable the link. This has made sharing confidential
documents even more secure.

Technology has also made collaboration more efficient. Documents in the cloud can be edited by different departments easily. People from different areas of the business, such as finance, can share their comments on a particular contract effortlessly. This collaborative approach has transformed legal work.

Going digital has also been great for the environment. Technology today has made legal documents more easily stored and accessible. By embracing electronic filing, titles and images of documents can be scanned by a simple search. This is particularly useful if you are looking for a clause or sentence in a large contract. Legal tech eliminates cutter and the need to organise physical files.

Electronic signature technology has been incredible. Documents no longer need to be printed and can be signed from your phone. Within our legal team we try not to print documents to reduce our paper usage.

Although I am a big believer in legal tech applications, GCs need to be honest with themselves that not all tech is useful. As general counsel, you have to be smart about which application you choose to use. You should never blindly rely on technology, as applications are designed by humans, and humans are prone to error. For example, we use a HR compliance tool and even though it is great we have to ensure that its functions comply with California law. The application could be designed to meet the legal requirements of another state or jurisdiction, so blindingly trusting an application can be problematic.

That means the human oversight piece will never vanish from the picture, but the likely trend is that legal teams will continue to become leaner. It is a major cost saving benefit for companies to auto-mate labour intensive tasks such as filing or locating contracts. As a result, corporate lawyers will be able to spend their time focusing on more sophisticated legal work. For the future I am exploring tech applications such as Ironclad, Parley Pro and other existing contract software. The future is digital and the potential for legal tech to move business operations forward are limitless.

At Eleusis, we are developing psychedelics for potential therapeutic applications, as well as a care delivery platform that aims to increase the safety, tolerability, and accessibility of any ultimately-approved psychedelic drug therapies. It is a complex path from drug discovery, to preclinical work, to trial design and regulatory submissions, involving selection of potential patient populations, invention of patient monitoring systems, and optimisation of treatment regimes.

As general counsel, I support our team facing these challenges in preclinical and clinical development of psychedelics for psychiatry, therapies beyond psychiatry, and care delivery. Compliance with controlled substances, FDA, EMA, and other healthcare law is a big part of the role.

Technology enables our legal department to deliver for the business. Calendaring programmes track our patent portfolio, regulatory planning, and submissions, as well as entity management. Task management software allocates diverse work in an efficient and auditable way. Our board portal se-cures and organises our communications and governance documents. Independent data rooms protect trial and observational study data compliant with privacy laws. In short, digital management of our department helps coordinate our remote team to empower Eleusis’ scientists and clinicians.

We also make extensive use of DocuSign, a popular eSignature platform. Neither our contracting velocity nor its global reach would be possible without it. Collaboration in an IP-driven space requires near-constant execution of non-disclosure agreements (NDAs), as well as ready access to their terms and expiration dates. Absent technology, we could not manage that without a much larger team. The next phase for eSignatures is their acceptance by regulators and other authorities on documents like informed consents and filings, and I am glad to see that trend already underway.

For a GC working in the tech sector, particularly remotely, connecting with other in-house counsel is essential. Among others, I joined an invite-only network called TechGC. This community of general counsels from emerging growth companies shares best practices, sample documents, and a listserv. It is invaluable for a lean team practicing outside a law firm’s institutional knowledge and bench of subject matter experts. While the companies TechGC members represent range across industries, there is nearly always a GC who has faced an issue similar to the one in front of me.

Technology has also enabled a shift – accelerated by the pandemic – in the relationship between practicing law and lawyers’ lives.  For in-house legal teams, [working from home] removes geographic recruiting constraints, lowers many folks’ cost of living, and enables around-the-clock availability of a team member without sleepless nights. I am in Venice Beach; my deputy is in New York; and our paralegal is in Florida. That would be unthinkable two decades ago, but technology has made that possible and effective.

On a more human level, technology is just a tool, and it has downsides for my team too. I keep a photo album of working on my laptop in beautiful places – Switzerland, Honduras, Alaska, and Baja. That is either freedom or a little dark depending on how you look at it. Technology means you can work from anywhere, and also could be working wherever you are. Lawyers are susceptible to boundaryless grind, and we are now solely responsible for building divisions between work and the rest of our lives. It is incumbent on a modern GC to set the tone and support team members in building those personalised boundaries.

The advantages of legal tech are clear. It helps lawyers deliver better and faster for the company, and there is headroom for it to do more with natural language processing and similar technologies. If you review hundreds of entities’ bespoke NDAs, you find there is immense arbitrary variation to get to the same six terms. There will be ethical obligations to sort out in handing that to software, in the same way there have been with technology-assisted document review in litigation, but the gains from legal technology make it feel inevitable that we will get there.

Today, when people refer to a ‘technology company’, they are often referring to the application of tech to a traditional sector. Take Lime, the phone-based electric scooter rental service. Is that a tech company or a transportation company with an app? Nearly every industry has been upended by what tech makes possible. Law will be characteristically slow on this front, but it is now law’s turn.

Reforming data privacy laws may not sound like a move destined to leave an enduring political legacy, but in policy-making circles the tropic casts a surprisingly long shadow.

‘One of the major hang ups of US leadership role has been the absence of a federal commercial privacy law in the country’, says Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP).

For many, the most puzzling question of all is why there is still a debate about the issue. In a world where data, and the power to regulate its use, is becoming a central part of statecraft, the United States is conspicuous in lacking a national data privacy law.

A decade ago, when the Obama administration started discussions on strengthening privacy regulations in the US, the business community considered the initiative as an unwanted and unneeded interference. Since then, it has become clear that the alternative may be far less palatable.

‘We are pretty quickly going down the path toward fifty plus privacy laws, which is the same place we have found ourselves with data breach notification law’ says Liz Benegas, general counsel of enterprise management software provider Totango.

Bob Jett, head of global privacy and risk at Crawford & Company, says the case for a federal law has never been stronger. ‘As citizens and consumers, we are only going to increase the number of things we do online. We can also see that some of the largest tech companies are stepping up and saying they want to be accountable for what they are doing in terms of privacy. They have realised that if they don’t self-regulate, the government might come up with stricter regulations than anticipated.’

Public demand for new privacy laws has tended to be weaker in the US than other developed countries, though the disruptions of the last year and a half – pandemic-related issues like vaccine certificates, digital contact tracing and mobile health apps – have helped put privacy and data security at the forefront of public debate.

A recent poll by data intelligence organisation Morning Consult shows that 83% of voters wanted Congress to prioritise privacy legislation. Surprisingly, those who identified as Republicans were just as likely to hold this view as those who identified as Democrats.

For Cameron Kerry, a visiting fellow at the Center for Technology Innovation at the Brookings Institution, visiting scholar at the MIT Media Lab, and former general counsel of the US Department of Commerce, the significance of strong data privacy laws goes beyond the short-term benefits it would bring to consumers and businesses.   

‘In terms of the international picture, 2021 is a very important year for determining whether people can truly put their trust in American companies and technologies. Businesses want to see a consistent national standard rather than a variety of state standards that mean they have to re-engineer their systems each time they move to a new state.

‘American business has already had to adapt to GDPR, and many companies have internalised a lot of these practices and have acknowledged their advantages for themselves and their clients. There could not be much more fertile grounds for a federal law than we find today.’

Whether or not the US moves to pass a federal data privacy law, the number of states passing their own legislation has ramped up to the point that keeping track of developments can sometimes be a challenge even for the professionals. It also means that, whatever the next four years hold, the state of data privacy in the US is a question every GC will be following closely.

We spoke to those working at the sharp end of data privacy to find out what developments corporate counsel should be paying attention to.

A hill worth fighting for?

The drive to protect private citizens’ data in the US is arguably older than the country itself. Long before he worked to draft the Declaration of Independence and the US Constitution, Benjamin Franklin used his position as Postmaster General to ensure the privacy of communications sent by mail (to this day, the Fourth Amendment protects letters from search and seizure).

Subsequent lawmakers followed in this tradition, and in the last 50 years alone the US has introduced several notable pieces of privacy legislation, from the US Privacy Act 1974, which contained important rights and restrictions on data held by US government agencies, to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which laid down data privacy, security and confidentiality rules for health insurers.

In short, the US has never been inattentive to the importance of privacy. But for GCs struggling to navigate the patchwork of laws across governing data privacy across the country, the big hope is that the Biden administration will finally push for a comprehensive nationwide legislation.

In the run up to the presidential elections in November 2020, privacy specialists were convinced that, whatever the outcome at the ballot, federal legislation would soon follow. Draft bills from both sides of the aisle were circulating in Congress, and when Senators Roger Wicker (a Republican) and Maria Cantwell (a Democrat) introduced the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (USCDPA) in November 2019, it seemed like an often-polarised political system had at last found common ground. That the election ultimately swung in Biden’s favour only served to reinforce this confidence.

‘Parts of the Trump administration had an interest in weighing in on privacy legislation and trying to help move that forward, but there wasn’t any high-level interest in this issue’, says Cameron Kerry. ‘However, Biden, and certainly some of the people around him, have said explicitly that the US should adopt privacy legislation.’

Since then, there have been further signs that data privacy may come into sharper focus. On 12 May 2021, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. While cybersecurity and data protection are not the same thing, there is a close relationship between the two on a legislative level.

As Liz Benegas, general counsel of enterprise management software provider Totango comments, ‘you can have security without privacy, but you cannot have privacy without security. We all know the emphasis the US put on national security recently. Developing comprehensive framework for each is difficult and takes time, but now that our systems have been hardened, privacy should be added to the legislation list as well.’

On that list there is already the Information Transparency and Personal Data Control Act, introduced in March 2021 by Representative Suzan DelBene. While the proposed Act is not as wide-ranging as the European Union’s General Data Protection Act (GDPR) or existing Acts applying in certain US states such as the California Privacy Rights Act (CPRA) and Virginia Consumer Data Privacy Act (VCDPA) in particular – it does not contain the right to access personal information or the right to collect or delete information held by a controller – it does include a pre-emption provision, meaning that, if adopted, it would supersede state laws relating to data privacy.

This, believes Cameron Kerry, points toward a credible impetus for legislative change. ‘There is still the opportunity, interest and conditions to get it done [in the US]. A lot of good work has been done by Capitol Hill in both Houses to understand the issues. Key Republican and Democratic bills in the Senate are pretty close on these issues. A few points still need to be resolved, particularly pre-emption and private right of action, but there are some potential paths ahead.’

Speaker of the House of Representatives Nancy Pelosi has already stated that the House would oppose any federal law that does not include the same level of protection as COPRA, and it is likely that the question of the pre-emption is going to be a huge stumbling block.

However, comments Julia Reinhardt, Mozilla fellow in residence, privacy consultant, and a former German diplomat specialising in EU privacy policy, ‘the Biden administration realises how important this is for industry, for people, for consumers and for international data transfers, so I really hope that it will find ways push this project ahead.’

‘Privacy is a big horizontal topic that regulators have been working on for decades. GDPR may have a few gaps, but it was a big step ahead to have one regulation for a large, contiguous market. The EU member states each had their own privacy laws before GDPR harmonised a general law for the 27 countries.’

Hurry up and wait

While there are of course certain differences of context between the US and EU, the European experience shows that none of the problems facing federal data privacy legislation are insurmountable. Except perhaps one.

Bob Jett, head of global privacy and risk at Crawford & Company, the world’s largest independent provider of claims management to the risk management and insurance industry, believes North America is sufficiently culturally distinct to make any parallels problematic.

‘The unique difference between data privacy in North America and in Europe is that Americans and Canadians, for the most part, do not consider their personal information to be a fundamental right. Most of us are willing to give up our rights to privacy for convenience or speed.’

‘In the US, we are much more worried about cybersecurity, because of the potential impact that has on our infrastructure, our ability to use our credit cards, or to get gasoline and to travel.’

A difference in European and American cultures of litigation could also become an issue. While Europe has yet to witness a wave of GDPR-specific class actions, the long-tail of these types of cases makes its difficult to know whether that is because they do not exist or because they are currently working their way through the system. If it turns out to be the latter, it could be a big warning sign for US businesses.

‘Regulations can become litigation tools’, adds Jett. ‘This is one of the things I have been tracking, because in the US, there is a fear for class action lawsuits around this. And such lawsuits have actually started to be filed in California.’

Even supporters of a federal data privacy law concede there is more groundwork to be completed, particularly around the issue of private rights. ‘The question around the rights for individuals to bring lawsuits for privacy violations coming from companies is crucial’, notes Reinhardt.

‘The volume of cases and magnitude of fines tend to be significantly higher in the US compared to Europe, so it may be necessary to include some provision that only allows attorneys general at the state level to sue.’

While these debates play out among lawmakers, GCs will have to go about complying with an increasingly complex patchwork of laws on a state-by-state level. But deliberation among lawmakers does not mean that legal teams can or should take a patient approach to managing privacy.

‘Data protection – both the privacy and security aspects of it – is quickly becoming a risk management function rather than a technological challenge’, says Benegas. ‘Gone are the days when only the chief technology officer needed to know or care about the issues. Nowadays, all levels and functions within a company need to know and be prepared.’

‘GCs and corporate counsel will play a pivotal role in helping shape the response to this challenge, not only because risk management is part of the job description but because of the broad view legal teams have into company operations, from human resources to vendor management to customer contracts.’

Ann Cavoukian, former Information and Privacy Commissioner for the Canadian province of Ontario and originator of the concept of privacy by design, which was subsequently incorporated in GDPR, also advocates a proactive stance when it comes to data privacy in the c-suite.

‘In these times of legal limbo, I always encourage companies to get a certification. First, it builds trust and business relationships, which has been lacking for a long time. Second, it increases the quality of the information they collect.’

‘There is no inherent tension between granting privacy and exploiting economic value when it comes to data. You can capitalise on data but strip it of all personal identifiers. One of the seven foundational principles I established with my privacy by design approach is to abandon the zero-sum models, where it is either-or or win-lose. There should not be a conflict between business interest and privacy. We should be aiming to satisfy both.’

The intersection of technology and health is truly fascinating. AbleTo, a leading provider of virtual behavioural healthcare, proves there is a hugely important role for technology to play in providing healthcare, but working out the right blend of technology and in-person connection is an important aspect to the successful delivery of this care.

Our technology can be used to assist people in finding the right therapy and programmes, and when it comes to behavioural healthcare people’s reliance on technology is only going to increase. Our telehealth tools strengthen the relationship between our therapist and our patients in a safe digital space.

Our services consist of a number of licensed therapists that provide virtual behaviour therapy to individuals and businesses. During the pandemic our company grew significantly. The strain of lockdown caused many people to turn to online health services in a way we had never seen before.

Given the centrality of tech to our offering, it is no surprise that our work in the legal team is also heavily reliant on technology to deliver service to the business. For example, we have been working with a number of vendors to implement a new contract management platform. Making all contract work digital will be our next step as a growing organisation.

We also operate a very distributed legal team, with professionals based everywhere from Florida to Texas and upstate New York. To be efficient with that set-up you need to coordinate effectively, and tech tools – even fairly simple ones like Google Docs – are essential in allowing the team to share documents and stay connected.

However, it is the not so simple tools that offer the most exciting possibilities. When I first started practicing law over 20 years ago, I could not have predicted where we are today when it comes to legal technology. The legal tech space is growing and there is really a wealth of options on the market now.

For any lawyer that is midway through their career, getting comfortable with technology and change is very important. I started my career in litigation and a large part of the job was manually looking up case law. A lot of what I did was stamping, numbering and producing documents. Just last year I was handling some legal matters and I could see how much legal tech has made the practice of law more streamlined and efficient.

This pace of change will continue and it will have a transformational impact on in-house teams. While artificial intelligence has been hyped for a long time, it is clear that practical applications now exist. Certainly, algorithms are being created that not only assist with contract management, but also generate basic legal advice. It is inconceivable that such tools will not be used to help improve team efficiency over the coming years.

Another interesting emerging technology is blockchain, AI and smart contracts. How quickly these spaces develop are yet to be determined. Nevertheless, I believe legal technology is bound to change the practice of law within the next ten years. Attorneys – including myself – should continue to embrace the change that comes with legal tech.

This is a potential danger for the career stability of lawyers – after all, in an already crowded market the last thing a lawyer wants to hear is that technology will make large parts of the job redundant. However, for general counsel, and perhaps also for professional advisers of all kinds, it is an intriguing opportunity.

If tech can be used to reduce administrative work, and all the signs are that it can be used very effectively to do this, then more time can be spent on legal analysis and strategic legal work. Any form of technology that helps lawyers represent their clients more effectively and efficiently should be embraced. This is where I see legal technology making the biggest impact.

One of our top priorities at AbleTo when it comes to technology is privacy and protecting the health data of our users. Making sure we have the right privacy infrastructure is not only a legal imperative, but also a business one. Our participants share very personal data on our platform, and we work very hard to ensure it remains private and secure. I have a dedicated chief privacy officer who works to ensure this data remains secure. We also need to make sure we are compliant with all national and state laws when it comes to data protection.

Bob Jett, chief privacy officer at Crawford & Company notes ‘People used to joke that when a GC hears of a cyber attack or data breach they breathe a sigh of relief and say, “Thank God, that one falls to the IT team”. Today that joke wouldn’t make sense. No serious corporate legal professional thinks cyber and data risks are off their radar.’

Britton Guerrina, deputy global general counsel for technology and shared services with Deloitte Touche Tohmatsu Limited, echoes this view. ‘Cyber and data protection are increasingly important and should be top of mind for any legal team. The legal and regulatory risks in these areas have increased and continue to do so, with countries introducing increasing regulatory requirements, many of which are contradictory.’

Corporate counsel may be increasingly aware of the dangers posed to their organisations from cyber attacks, but the results to our survey of over 200 senior counsel across the US and Canada suggest their organisations take a very different view.

While 91% of legal teams were aware of their organisations’ cybersecurity efforts, only 18% said they were heavily involved in these efforts. In fact, an alarmingly high number of teams (39%) were not involved at all, while nearly two thirds (63%) were either not involved or only involved to a small extent.

Even legal teams that are involved in their organisations’ cybersecurity strategy are typically confined to a fairly narrow role. By far the most likely task falling to legal teams is ensuring the security of their own communications, data and files (84%) or providing strictly legal opinions on regulatory compliance (47%). Just under a fifth of teams (19%) reported being involved in their organisation’s wider cyber response planning, while only 7% were monitoring cyber threats across the organisation as a whole.

Businesses not involving legal teams in their cybersecurity efforts should take note: over half (53%) of the senior counsel surveyed rated their organisations’ cybersecurity defences as either poor or average. Just 13% said their organisations had excellent protection against cyber threats.

The limited involvement of legal teams when it comes to cyber security efforts is particularly puzzling given the obvious advantages lawyers would bring to the process. As Britton Guerrina notes:

‘Legal involvement is critical for various reasons, and lawyers are able to guide efforts in a wide range of areas, from helping to design the security programme to comply with privacy, employment and other local laws to advising the cybersecurity team on cyber regulatory requirements.

Legal teams can also assist with the roll out of security tools while addressing any legal impediments. They can advise which legal and regulatory requirements apply to a breach based on the facts and circumstances presented, determine whether breach notification requirements (regulatory or contractual) have been triggered, and craft notifications, interact with regulators, law enforcement, and so on. In my view, legal and cyber need to partner together, along with risk, in order to protect the organisation effectively.’

However, as Michael Shour, general counsel and secretary for Banyan Software, observes, this is likely to change as the regulatory and reputational stakes increase.

‘Legal is actually very well positioned to spearhead this area, but it is often not an area where management wants legal to focus, due to the limited resources. As class actions and cyber-related litigation increase over time, I suspect that this will continue to require an increasing amount of legal involvement.’

Plugging the leaks

Monitoring cyber risks may still be deemed a low priority for legal counsel, but the related issue of data privacy is fast becoming a key part of the legal team’s role. As one respondent, senior counsel for data and privacy at a global media and telecoms business, puts it:

‘Data protection is a growing issue, and not just because of the rise of serious and very damaging incidents which we all read about in the news. From a compliance perspective, it is the increase in country-wide and global regulations. Business has to operate as smoothly as possible, and it is our job as legal to help it do so within these regulatory boundaries.’

When asked to identify the most pressing cyber threats their organisations faced, nearly half (49%) of corporate counsel pointed to the risk of customer data being compromised. Theft of confidential business information was seen as the next most pressing risk, reported by 28% of those surveyed. As Naseem Bawa, general counsel for InteraXon, a leading maker of brainwave-controlled computing technology and applications, points out, in the digital economy data is a chief driver of value. ‘Data is part of a company’s IP and without stringent safeguards to protect and enhance its value you are leaving your doors unlocked.’

For comparison, just 2% said that direct monetary loss through theft was their organisation’s most pressing concern. While theft can be costly, it is often nowhere near as expensive as dealing with the regulators. For businesses that have yet to experience a significant data breach, comments one senior legal and compliance counsel at a large retailer, the uncertainty over consequences can be troubling.

‘The big unknown here is the way a regulators will respond. The marquee cases have been in the financial services industry, and there is some evidence that regulators will look at what a retailer is doing around data and compare it with the systems and controls that have been put in place by financial institutions. Obviously, these financial institutions have far more robust data-security arrangements in place, which is potentially something that could damage our position in any litigation.’

These risks are especially pressing, continues the respondent, in a world where customer interaction is increasingly digital.

‘Mobile payment apps and e-commerce are becoming the principal vector through which fraudsters are able to infiltrate business systems. It’s a data security issue but it’s also a cybersecurity issue that goes right to the heart of our business. That means the legal team needs to know how our IT systems work, with at least some degree of accuracy, and how those systems can sink us.’

For those unfortunate enough to suffer a breach affecting customer data, knowing how to respond is key. The advice from one general counsel at a large US medical insurer is to bare all. ‘If customer data has been compromised then you need to tell them, and you need to help them take whatever steps are needed to mitigate the risk they now face. In the first day or so after an incident everyone is scrambling around to collect as much information as possible before the company needs to report the incident, but often it will be too late for the customer if you wait a day. Bite the bullet and tell them what has taken place. And, of course, have a plan ready so you aren’t worrying about drafting the message during a firestorm. If you are facing a situation where you need to email potentially millions of customers, you will really be thankful that you planned ahead of time.’

This planning, many agreed, is among the most important steps that GCs can take. As Richard Brzakala, director of external legal services at Bank of Canada, comments, ‘The old maxim “Trust but verify” applies here. You may have best-in-class cybersecurity in place, but it needs to be tested continuously. It’s not a question of if things go wrong. They will go wrong. You will experience a cybersecurity incident or data breach eventually, so be prepared.’

On 7 May 2021, Colonial Pipeline, the largest petroleum pipeline in the US, was shut down following a cyber attack. It remained closed for five days, causing panic buying, fuel shortages and national security soul-searching. For cybersecurity experts, the most surprising element of this episode was that a key part of US infrastructure was not brought down by the actions of a hostile state (at least directly), but by a small group of cyber-criminals deploying a devastating form of online extortion software: ransomware.

After gaining access to a company or individual’s system, the attacker will make files inaccessible in some way. At the lower end of the scale, the malicious programme may simply lock the computer, an easily fixable situation for an IT professional and no great problem for a large company. But when deployed by more sophisticated attackers, the software will encrypt the victim’s files so effectively that recovering them without the decryption key is virtually impossible.

The Colonial Pipeline ransomware attack was just one of several high-profile events that have struck ostensibly secure organisations over recent months. May 2021 also saw a ransomware attack on meat processor JBS Foods, a $53bn company that is deemed vital to US food security. The attack, which led to closure of some of the company’s facilities, was reportedly ended after an $11m ransom was paid.

While the scale and severity of recent attacks has surprised many, the growing popularity of ransomware comes as no surprise to specialists in the field.

‘My first response to the upsurge in ransomware attacks lately was that we analysts have been warning about this for over a decade, and we all predicted this was going to happen’, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations.

‘Now it’s here we have another round of gnashing of teeth, but opportunities to mitigate the danger have been missed time and time again over the intervening years.’

Fortunately, even for those who may have missed the early warning signs, hope is not lost. GC speaks to some of the leading counsel and cyber experts to find out what the rise of ransomware means for business, and what lawyers can do to help prepare their defences.

The unlocked door

The rise in attacks affecting everything from water and energy utilities to fuel distribution systems is a sign of things to come. From a cybersecurity perspective, the truly frightening aspect of these attacks is that, once systems have been compromised, there is little IT professionals can do to regain control. Bhavani Thuraisingham, Founders Chair Professor of Computer Science and the Executive Director of the Cyber Security Institute at The University of Texas at Dallas, comments:

‘When the malware enters the system, it has access to almost everything, and in a ransomware attack [hackers] will encrypt everything and demand a payment in exchange for the key to unlock the files. As of today, AES 256 encryption cannot realistically be broken with modern computing methods. Unfortunately, this means that if the attack progresses to this stage, you have really no access to anything in the system unless you get the key to decrypt the data’.

Richard Forno, senior lecturer in the University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering, puts it even more succinctly: ‘If you haven’t been conducting cybersecurity best practices and a sophisticated attack takes hold of your systems, you’re screwed’.

As a result, victims of high-profile ransomware attacks have been left with little option but to pay up. In the case of Colonial Pipeline, hackers demanded a ransom payment of $4.4m in the form of bitcoin, which they promptly received in exchange for codes to unlock the company’s systems.

More troublingly, the lines of attack hackers are exploiting are not easy to defend against. For example, phishing attacks in which members of staff are fooled into downloading malicious software by seemingly genuine emails are becoming increasingly effective. This, says Forno, is increasingly dangerous given the rise of social media as a means of validating an unknown person’s identity.

‘Using artificial intelligence and machine learning, you can identify, develop and even create fake personas that are very detailed. This can allow you to make a phishing email that is much more convincing to the target, particularly if
you’re targeting a particular individual, such as the CEO of a company.

What’s more, even those who follow every reasonable security protocol and measure can, unwittingly, become a victim of the more sophisticated hacks. Increasingly, [malicious] software is being downloaded through perfectly legitimate websites via ad networks. [If a hacker] is able to compromise a content or software distribution network, malware could be injected into this such that users of a legitimate website would then be downloading malware through the network.’

This type of attack, say the cybersecurity experts interviewed for this report, has already been detected on some of the world’s largest website, often with little or no awareness among their users.

Adds Thuraisingham: ‘Ransomware spares no one. It could attack an 80-year-old great grandmother, a major financial company or even critical infrastructure. With that said, the more pain the attacker causes, the more publicity they get and the more money they can extort; sectors that allow them to cause maximum damage may therefore be more vulnerable. These will include major hospitals, government organisations and, especially, financial companies.’

Of course, cyber experts are aware that ransomware attacks are now big news, and that reporting biases undoubtedly skew toward them. Even so, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations, the underlying reality is that such incidents are on the rise. In fact, says Fidler, the true extent of the problem has probably been under-reported.

‘There has been an increase in ransomware attacks, and that increase has been felt across the entire corporate sector in North America and beyond. Beyond this, there is a large number of institutions – typically hospitals or
other bodies that hold large volumes of data – that have been victims of ransomware attacks without the public or media ever becoming aware of it. So the problem is growing and the scale of the problem is perhaps larger than one would imagine.’

The GCs who came in from the cold

From the perspective of the US government, ransomware is a clear and present danger. The increase in the size, sophistication and public awareness of these attacks, as well as their ability to damage critical infrastructure, puts general counsel on the fault line of what, for some organisations, will be the most important challenge of the coming months.

‘The connection between criminal ransomware attacks and how the United States government perceives our adversaries as providing havens for cyber criminals is key’, says Fiddler.

The government has already accused Russia and China of tacitly allowing cyber criminals targeting US companies to operate free of constraints. We’re seeing movement toward more offensive actions on the part of the US government aimed at cyber-criminal organisations based in potentially hostile territories because, clearly, our defences are not effective in preventing these attacks.

If the government does move in that direction, that is a much more dangerous context for businesses to be in, because we do not know cyber-criminal groups are going to respond. They could become even more sophisticated and try to test how much further we’re willing to escalate’.

The thought that corporations might unwittingly get caught in this cat-and-mouse game of testing and defending critical infrastructure is no longer an abstract item on the risk agenda. Even smaller companies that are not deemed essential parts of the US economy now face the prospect of becoming collateral damage in the tit-for-tat exchanges brought on by the escalation of opportunities for cyber attacks and the escalation of deterrence by punishment.

‘For GCs, understanding the potential threat is key’, adds Fidler. ‘Understanding what the threats are from this potential escalation on the part of the government may help persuade the C-suite of the need to make more investments in their own cyber defence.’

Of course, only a minority of companies will fall victim to the most serious of incidents, but indirectly almost every single organisation will end up paying the price, whether through increased demands on security and compliance or changes to their relationships with customers and commercial partners.

Insurance has long been one of the major tools used by corporates to mitigate their exposure to cyber risk, but as the number of cyber-related insurance pay-outs topping seven figures grows, policies are being hastily rewritten.

‘[Last year] was an unprecedented year for ransomware attacks and the payment of related insurance claims’, notes Lavonne Hopkins, senior managing legal director for security, resilience and digital at Dell. ‘As a result, the cybersecurity insurance market is hardening as insurers revaluate how to keep their cyber insurance offers profitable.

I have observed that insurers are focusing more on evaluating organisational cybersecurity maturity and preparedness when making coverage decisions and determining premiums and deductibles. We can only expect this trend to increase. Organisations should start to prepare for a future that potentially excludes ransomware coverage from cyber liability policies and requires self-insurance models.’

A worrying thought. And even those who can find suitable policies should not be complacent against the threat, says Thuraisingham.

‘Certain insurers are now offering specific products that cover the threat of ransomware attacks but relying on this can be extremely risky. To activate the coverage a company must first lose its data in a ransomware attack; only then will the insurer release funds to pay the ransom.

This is obviously not ideal, as the protection offered does not typically compensate for the reputational damage or staff costs associated with the incident. I would advise taking all the preventive measures you can before relying on insurance.’

The price of this sort of ‘kidnap insurance’ coverage is also likely to increase markedly as insurers keep a watchful eye on cybersecurity developments. A report issued recently by Hiscox, an Anglo-Bermudan insurance provider that specialises in niche categories of risk, noted insurers faced a 50% year-on-year increase in pay-outs for cyber-related policies, with ransomware attacks accounting for the biggest contributor to this growth.

Outsmarting the hackers

Even the most generous insurance policy can only be triggered once a cyber attack has taken place, by which time financial compensation alone may not be enough to repair the damage. For general counsel, the only real way to defend against risk is to go on the attack.

David Mace Roberts, general counsel of transport information systems provider Electronic Transaction Consultants (ETC), has been working to keep one step ahead of cyber attackers for many years. For Roberts, the most notable feature of a good cyber risk plan is that it looks unlike anything else on the market.

‘A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry.

Thuraisingham echoes Roberts’ comments. ‘Just as with health concerns, the best method is prevention. Protect all your systems, data and processes so that the attackers cannot gain access in the first place. Perhaps most important, companies that do not mandate backups and do not have extremely stringent security policies are most in danger. Do continuous backups of data and processes. I cannot emphasise proper backup procedures enough’.

Indeed, as Richard Forno notes, none of these measures are difficult to implement, but business has tended to ignore expert advice for too long.

‘The problem I see is that a lot of companies and governments of all sizes fail to do basic cybersecurity best practices, things that we in the industry and academia have been urging people to do for 20, 30, 40 years. This can be things as simple as having a really strong password or using multiple forms of authentication for critical or sensitive systems’.

The most important aspect of effective defence against a ransomware attack, however, comes with employee training. Human error is overwhelmingly likely to be the biggest weakness in a cybersecurity defence package, as well as the first thing a criminal group will look to exploit. To guard against this, says Roberts, the only option is to train relentlessly, ‘If you only train once a year then training loses its impact and offers minimal protection.’

Lavonne Hopkins of Dell agrees. ‘Unfortunately, ransomware most frequently originates from human error, and over half of ransomware victims suffer repeat attacks. Training and education are critical to ensure a comprehensive cyber preparedness strategy and prevent these ransomware attacks. Organisations should mandate cybersecurity training, including phishing training, for all employees and contractor. Employees are the first line of defence and need to be equipped with the knowledge to help prevent an attack’.

Before any of the above can take place, senior management needs to take the risk to business from cyber attack seriously. As Thuraisingham notes, it is all too common to encounter business leaders who consider cyber strategy as a matter for IT professionals.

‘When you’ve hired the best risk analysts and cyber teams money can buy it is very easy to conclude that you’ve done everything you can. This is fundamentally wrong. Businesses will always be vulnerable to these attacks, so there needs to be a constant awareness of just how serious the consequences can be.’

Unfortunately, awareness of cyber risk as among the c-suite seems to remain limited. Our survey of over 200 general and corporate counsel in North America revealed that while legal teams felt there was a very high risk of cybersecurity breaches to their organisations, fewer than half were actively involved in shaping cybersecurity risk planning.

For many organisations, it may come back to haunt them. As Roberts concludes, ‘If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. Do you want this on the front page of the Wall Street Journal or the Washington Post? Do you want to have to answer to the boards, or to the securities regulators? If not, then taking the risk seriously now is the best defence.’

When legal moves fast, business moves fast. Time kills deals, and often moving at speed is imperative. For in-house counsel, the need to move quickly can be a source of tension. No lawyer wants to hold business back, but it takes legal time to review a contract and ensure compliance. Rushing can generate risk that comes back to bite you.

This longstanding tension is not only a problem for GCs. At a basic level, all lawyers are contracts lawyers and all the businesses they serve are contracts businesses. The contract is the most fundamental unit of commerce. Whether it’s an offer letter, an employment agreement, a stock options agreement, a vendor agreement with a third party, a sales agreement, a marketing agreement, or any other form of agreement, business relies on processing contracts at speed.

The sweet spot is when you’re moving quickly and responsibly. The tension between speed and risk is something lawyers have struggled with for a long time. You cannot put yourself in harm’s way just to move quickly, and you cannot put yourself in a position where you’re losing deals because legal is taking too long to process contracts. When you’re moving at speed without compromising internal rules or policies, you’re doing well.

At Ironclad, and among our hundreds of customers around the world, we have worked to tighten the relationship between legal and commercial teams. Ironclad is the preeminent digital contracting platform for business. Our focus is on the end-users, whether they are in sales, HR, marketing – any function or professional that deals with contracts can benefit from the platform. We do not consider ourselves a legal tech company. Our enterprise-wide software is often deployed and administered by the legal department, but it frees lawyers from having to generate contracts.

When I run orientation sessions for clients, I like to begin showing a painting from the seventeenth-century, The Village Lawyer by Pieter Brueghel the Younger. It depicts a lawyer sitting at his desk surrounded by mountains of paper. A queue of people stands around waiting for his time. The one thing blocking them from going back to business is waiting for an interpretation. And that interpretation is likely to be something relatively simple. “What does the contract mean, what terms or provisions are contained within it and who owes what to whom?”

Too often, this is still the case today. Legal is the central hub for contract review. It is also the chief bottleneck when it comes to speed of business. At Ironclad, we are changing that by powering the world’s contracts in a way that legal teams love.

For example, using our no-code workflow builder the legal department can generate contracts and templates for any number of purposes. With Ironclad, a single workflow can produce hundreds of different versions of a document, whether it is a Non-Disclosure Agreement, Enterprise Services Agreement or any other commonly encountered legal document. This means various teams across an organisation can generate their own contracts while staying safely within the guard rails set by legal: Who can sign which contract? Who is part of the approval authority matrix? Does that change if the contract rises over certain financial thresholds? All this is stored in a fully searchable repository so things like data breach notification obligations can be identified at the click of a button.

Ask not what your company can do for you

As legal tech matures it is not only allowing GCs to do their jobs faster. The really exciting thing is that tech is now changing how GCs can bring value to their companies. To take one example, I can now look at our sales contracts and know which of them has gone through one round of red-line edits, and which has gone through two rounds of red-line edits. That allows me to identify patterns in the data. I can see that when a contract has gone through one round of red-line edits the probability of a deal closing is at a certain level. With two rounds of red-line edits that probability rises significantly.

That is the sort of data that GCs just didn’t have access to before. It means we can more accurately forecast what the quarter is going to look like using data generated and held within the legal function. That’s just one of dozens of applications you can put legal analytics to, and it is exciting to see what is now being done with this sort of information.

If you’re a GC and you don’t know where all your contracts are or what’s in them then there’s a lot of room for you to significantly up-level your compliance measures. Recently, Ironclad acquired PactSafe, an Indianapolis-based clickwrap transaction platform that enables companies to process high volume agreements. From create to review to negotiate to sign to store and repository, contract lifecycles do not just exist for B2B contracts. For a growing number of businesses, monitoring B2C contracts is becoming essential.

We’ve all been through the experience of signing on to terms of service in the B2C space. Whether it’s Uber, Spotify, or any of the apps and services we have come to rely on, we have all given manifest assent to a contract by clicking a box. Behind the scenes, companies need a way to manage those millions of clicks. When facing litigation or a potential class action, companies will need to identify which users signed what agreement. To get even more granular, they may also need to quickly come up with evidence that most, if not all, of a proposed class had signed an agreement containing the relevant arbitration clause. That sort of litigation is highly likely when you’re a successful company and having the tools to manage and process large volumes of data is key. We are excited to explore how this process of manifest assent – a process very similar to e-signing – can be used more widely in the B2B space.

No excuses

For many lawyers, legal tech has been a series of false dawns. It has often promised to revolutionise the way lawyers work, but it has rarely delivered. That, finally, is set to change. For the first time ever in the history of the legal profession there is cutting-edge technology that allows us to do our jobs more effectively as lawyers. The whole profession is now waking up to what it can do differently, and in-house legal teams are driving this change.

In-house teams used to ask their law firms about technology. Now it’s the reverse. GCs are encouraging their firms to adopt technology, and firms are hearing about the most useful software and tools from their customers. But technology is only one part of this transformation story. The rise of legal operations as a specialism has been just as exciting.

For years every department at a major company has had its own ops function. Marketing, engineering, sales – all of these departments have relied on operations professionals to keep them moving. Now we are seeing that in legal teams, and it is having a transformational impact on the way systems, processes, people and tech work together.

GCs have always faced the same question: how can the legal department cope with increasing work volumes as a business grows? Are you going to add bodies as legal departments have done for decades now, or are you going to use technology and smarter processes to scale up? Increasingly, technology is the only viable option. I have made it my goal as GC to practice what I preach. At Ironclad, we have one commercial counsel servicing over 60 salespeople who negotiate up to dozens of deals each day. The only way that’s possible is by leveraging our own system.

My goal as a legal leader is to have one of the leanest departments out there. A lot of GCs talk about wanting more headcount – I take the opposite approach and ask how I can keep the team as lean as possible. For legal teams struggling to stay on top of things, try this: instead of scaling by adding more people, scale with systems. Measure the success and improvements you can get through using the right tools and processes. The results will convince you that technology can have a transformative and liberating impact on the legal team.