Space invaders

In the second part of a special series on technology in the legal sector, Leo Long looks at data protection and cybersecurity. Is regulation keeping up? And is your legal team adaptable enough to stay ahead of the curve?

While the world was still reeling from the WannaCry ransomware back in May, a newer, nastier and more intelligent virus called Petya broke the following month. This pair proved calamitous for many businesses and individuals, but more than that, the events hit home on the need for urgency in both regulation and adequate security of digital information, and nowhere is that more pertinent than with sensitive information banked at law firms and company legal departments.

While the cyber community is still trying to work out where the two attacks came from, for many, once abstract concepts of data protection and cybersecurity are quickly gaining traction.

“[The attacks] add another element of urgency that calls for especially large organizations to beef up their cyber intrusion detection and mitigation strategy – one of the major selling points of the new China Cybersecurity Law,” Stephen Yu, a director at AlixPartners in Shanghai, said recently.

Regarding internal risk management, how businesses can handle personal data without breaches is a challenge. Incidents of data theft around Asia are numerous. A recent report by security firm ThreatMetrix, which provides online authentication services, found 11.8% of e-commerce transactions in the Asia-Pacific were made up of fraudulent login attempts, as cybercriminals leverage patched-together stolen identities to carry out attacks on digital transactions.

Law firms are among the prominent potential targets “because of the confidential and privileged data that they hold, especially relating to M&A [merger and acquisition] activity,” says Paul Jackson, the Asia-Pacific leader of cybersecurity and investigations at Kroll, a global provider of risk solutions.

The Panama Papers, which involved an offshore law firm and the leakage of millions of confidential attorney-client documents in 2016, raised a large red flag for law firm managers. Many firms have employed strategies to boost cyber defences and data protection capabilities. With regard to in-house lawyers, the international Association of Corporate Counsel (ACC) in March published data security guidelines for in-house counsel, which among other things set out in-house expectations of external lawyers that have access to sensitive company data.