In the second part of a special series on technology in the legal sector, Leo Long looks at data protection and cybersecurity. Is regulation keeping up? And is your legal team adaptable enough to stay ahead of the curve?
While the world was still reeling from the WannaCry ransomware back in May, a newer, nastier and more intelligent virus called Petya broke the following month.
This pair proved calamitous for many businesses and individuals, but more than that, the events hit home on the need for urgency in both regulation and adequate security of digital information, and nowhere is that more pertinent than with sensitive information banked at law firms and company legal departments.
While the cyber community is still trying to work out where the two attacks came from, for many, once abstract concepts of data protection and cybersecurity are quickly gaining traction.
“[The attacks] add another element of urgency that calls for especially large organizations to beef up their cyber intrusion detection and mitigation strategy – one of the major selling points of the new China Cybersecurity Law,” Stephen Yu, a director at AlixPartners in Hong Kong, said recently.
Regarding internal risk management, how businesses can handle personal data without breaches is a challenge. Incidents of data theft around Asia are numerous. A recent report by security firm ThreatMetrix, which provides online authentication services, found 11.8% of e-commerce transactions in the Asia-Pacific were made up of fraudulent login attempts, as cybercriminals leverage patched-together stolen identities to carry out attacks on digital transactions.
Law firms are among the prominent potential targets “because of the confidential and privileged data that they hold, especially relating to M&A [merger and acquisition] activity”, says Paul Jackson, the Asia-Pacific leader of cybersecurity and investigations at Kroll, a global provider of risk solutions.
The Panama Papers in 2016, which involved an offshore law firm and the leakage of millions of confidential attorney-client documents, raised a large red flag for law firm managers. Many firms have employed strategies to boost cyber defences and data protection capabilities. With regard to in-house lawyers, the international Association of Corporate Counsel (ACC) in March published data security guidelines for in-house counsel, which among other things set out in-house expectations of external lawyers that have access to sensitive company data.
New rules and regulations on cybersecurity are expected to have a significant impact on businesses wanting to insure themselves against risks involved with the internet of things (IoT), big data and mobile payments as awareness grows.
For example, Japanese companies are showing great interest in the potential uses of big data and artificial intelligence (AI) in their businesses, according to Christopher Hunt, a Tokyo-based partner of Herbert Smith Freehills. “Japanese companies are increasingly taking an interest in how to insure against cyber risks as their understanding and awareness of the potential exposures grows,” says Hunt.
“APAC entities are generally [although not always] lagging behind when it comes to their cybersecurity posture and levels of spending to address this issue, but things are changing as stronger legal and regulatory frameworks are rapidly being implemented across the region, coupled with a greater understanding at a leadership level of the business impacts of data breaches,” adds Jackson of Kroll.
The resolution to change can be seen as notable campaigns are launched by governments, such as Singapore’s Smart Nation initiative, India’s Digital India, and Australia’s Cyber Security Strategy.
Regulators in some APAC jurisdictions are reviewing or amending existing laws and regulations to adapt to more challenging legal landscapes. For example, Japan’s newly-amended Act on the Protection of Personal Information was put into full effect in May 2017. And in July, Singapore sought opinions on proposed amendments to the Personal Data Protection Act (PDPA), and proposed a cybersecurity bill.
With scattered language in various rules and regulations on cybersecurity and data protection, some maturing countries are working hard to introduce more comprehensive laws. One of the notable results is the implementation of China’s Cybersecurity Law, which came along with other relevant regulations and rules in mid-2017.
Another is Indonesia’s issuance of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems (PDP Regulation) in December 2016, while some other major amendments were also made in the archipelago in the past year.
Zacky Zainal Husein, a Jakarta-based partner of Assegaf Hamzah & Partners, says the PDP Regulation is the first comprehensive data protection regulation under Indonesian law, although it is limited to personal data that are stored in electronic form.
“However, it is still much in its infancy when compared to EU countries or Indonesia’s Southeast Asian neighbours, Singapore and Malaysia,” says Husein.
This developing status might also apply to neighbours like Thailand and India, where comprehensive laws on either cybersecurity or data protection are yet to be put in place.
“The Information Technology Act, 2000 has been the only law dealing specifically with cyber crimes in India. Considering the dynamic nature of cyber crimes and ever-evolving nature of technology, the IT Act has been criticized for its effectiveness, even after the amendments made in the past 17 years,” says Salman Waris, head of TMT and IP practice at TechLegis Advocate & Solicitors in New Delhi.