Nobody is immune to cyber threats– even former Hong Kong security minister Regina Ip Lau Suk-yee fell victim to hackers last year when she opened an e-mail attachment and enabled the hackers to pilfer HK$504,000 from her account. As the variety of data sources and cyber threats proliferate, a coordinated effort beyond information technology departments is in order.
Cyber threats pose an immense risk to organisations and one of their most valuable assets –information. Data breaches to personally identifiable information, non-public information and other sensitive client and employee data can have material and broad-ranging consequences. These may include internal and regulatory investigations, shareholder litigation, payments to affected consumers or employees, and sanctions for privacy violations.
Although IT departments traditionally have taken the lead in implementing security measures, cybersecurity is increasingly a business and legal problem due to the varying degrees of susceptibility. As a result, in-house counsel are taking a more active role in guiding their organisations’ response to the cybersecurity crisis.
The Cybersecurity and Data Privacy Landscape in Hong Kong
Recent developments in cybersecurity and data privacy in Hong Kong recommend greater involvement by corporate counsel. For example, on 15 September 2015, the Hong Kong Monetary Authority (“HKMA”) issued guidance on cybersecurity risk management to authorised institutions, instructing leadership to take a four-pronged approach to protecting data:
- Risk ownership and management accountability: Organisations should appoint someone to oversee risk management and establish lines of accountability to senior leadership.
- Periodic evaluations and monitoring of cybersecurity controls: Organisations should regularly evaluate the effectiveness of their cybersecurity controls, assess any gaps and plug them as necessary.
- Industry collaboration and contingency planning: Organisations should work together and with the authorities to share and gather intelligence on threats and test their incident response and business continuity plans. This way, they are prepared to respond to and communicate about data breaches.
- Regular independent assessment and tests: Organisations should employ staff or retain vendors that can objectively assess cybersecurity readiness.
The HKMA has stated it expects covered entities to document their progress in strengthening their cybersecurity controls and may request organisations to produce evidence of them. The guidance declines to adopt a particular benchmark, but it does recommend a series of international standards and examples of preventive, detective and contingency controls that organisations can use as a model.
The HKMA guidelines directly implicate local rules governing data privacy that apply to all businesses. Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) protects individuals’ personal data from, among other things, “unauthorised or accidental access, processing, erasure, loss, or use.” Violations of the law can result in a fine of HK$50,000 as well as imprisonment.
Counsel have taken on the responsibility of reviewing and understanding these regulatory developments. They have also assumed a leading role in translating them into a viable action plan to defend their employers’ digital assets.
Ten Steps Counsel Have Taken to Protect their Organisations’ Data
Although counsel are critical to ensuring that their organisations have a 360-degree view of applicable legal standards and understand the implications of risk, their role no longer stops there. Once counsel makes the organisation aware of the cybersecurity and privacy landscape, many have taken the lead and designed plans that address threats as part of an enterprise risk management programme. To protect data through its lifecycle, they have adopted the following foundational cybersecurity protocols:
1. A Security-Conscious Culture
All employees must understand that cybersecurity is not simply an IT domain; it requires the cooperation of everyone who touches the network. Countermeasures to cyber threats are only as effective as the humans who employ them. All the security measures in the world cannot protect data if employees are susceptible to spear phishing attacks through spoofed e-mails or use weak passwords that are simple to crack.
Counsel have required that the organisation provides at least annual training on emerging threats, regulatory requirements, corporate policies, and security best practices, often working in conjunction with the chief data security officer and others to oversee the training and risk prevention programme.
2. A Digital Asset Inventory
Counsel have collaborated with IT to review the organisation’s inventory of networks, hardware, software, databases and servers. Additionally, they have worked with the IT team to maintain a current data map of all digital assets across business units, human resources, accounting and audit teams.
3. Protection of the “Crown Jewels”
Corporate counsel have also taken steps to understand corporate data and classify it according to its priority and potential risks. Armed with this knowledge, organisations have prepared appropriate countermeasures. While it is not possible to safeguard every byte of data or block every potential network access point, counsel have created policies that ensure that the most sensitive data assets are protected. From trade secrets to protected health information and financial data, the most sensitive data assets are proactively flagged and receive the highest possible protection.
4. Ongoing Risk Assessment
Because the vigilance of a company’s countermeasures will be at issue if a cyber breach occurs, counsel have continued to stay abreast of applicable data protection and breach notification laws, which serve as a guide when they periodically examine the organisation’s risk assessment protocols. The risk assessment protocols created by informed counsel require regular network, system, and computer audits and continuous monitoring for intrusions. Given data privacy concerns, such policies also require the organisation to notify employees of the potential for monitoring, setting an appropriate expectation of privacy.
5. Use of Analytics to Isolate Threats and Protect Sensitive Data
Data analytics can be useful in identifying potential vulnerabilities and irregular patterns that may indicate an attack. Continuous auditing and monitoring technologies can detect fraud and other risks within structured financial data. But with the rise of so many sources of unstructured data, such as e-mail, chat applications and social media, advanced tools are required to identify threats. By partnering with data scientists and e-discovery specialists, organisations have leveraged advanced analytics to flag potentially risky communications and trigger human surveillance, avoiding security risks before they happen.
6. Supply Chain Risk Management
Legal counsel increasingly review all contracts with third parties that process data, including cloud providers and e-Discovery vendors, to verify that adequate security controls and breach remedies are in place. Indeed, the HKMA requires businesses to validate third-party providers’ adequate risk management frameworks and to monitor their vendors’ performance. Evidence of adequate security standards includes recognised certifications. These include ISO 27001 certification, which consists of a series of 114 controls such as physical security measures, firewalls, data encryption protocols, monitoring and disaster recovery plans. While ISO 27001 compliance may not always be sufficient to deal with advanced persistent threats (“APTs”), using established security protocols such as those used in Tier-3 data centres may help ensure a minimum base line for protection, especially for sensitive data.
7. Data Access Restrictions
Though external threats receive most of the attention, internal threats can pose significant risks, whether from employees’ unintentional lapses to schemes designed to sabotage the organisation or engage in malicious activities. Knowledgeable in-house legal counsel have created cross-functional disciplines within the organisation to ensure that users have access to only the data they need to perform their duties, and that multiple levels of approval are required for access to sensitive information.
8. e-Discovery Review Tools with Strong Security Features
When collecting and transferring data for review in e-Discovery, counsel have selected document review platforms that protect data on several fronts. These include features that allow administrators to set security at both the application and user level; automated data detection tools that can flag sensitive data that matches certain patterns in documents, such as employee identification numbers, phone numbers, or account numbers; and automated redaction tools that can also prevent the disclosure of sensitive information.
9. Incident Response Plan
Breaches are inevitable, and pro-active counsel have created policies in anticipation of such to respond to them when they occur. A written plan can facilitate a consistent, rapid response, while testing the plan can identify gaps that may require third-party assistance, such as public relations or remediation experts. It can also demonstrate a good faith effort to comply with applicable laws and regulations. In-house counsel have taken the lead in determining when to escalate issues, when to disclose breaches, what information to share with peers and regulators, and what investigations should be protected by the attorney-client privilege.
10. Cyber Insurance Considerations
Insurance can lessen the financial ramifications of a breach. Organisations have chosen policies that provide coverage for the results of breaches, such as the costs of investigations, notice to affected victims, public relations and credit monitoring.
What’s Next for Corporate Counsel?
The role of corporate counsel is rapidly evolving. With the shifting cyber threat and regulatory landscape, corporate counsel are taking an active role by offering oversight, marshalling resources, and serving as a bridge between IT and key stakeholders. By actively managing the decision-making throughout the risk assessment and compliance process, counsel are preparing their organisations to detect risk and respond immediately when threats arise. The future will be determined by how local counsel react to such early warning signs of trouble.
Xerox Legal Business Services is not authorised to practice law, and neither offers legal advice nor provides legal services in any jurisdiction. The services offered by Xerox are limited to the non-legal, administrative aspects of document review and discovery projects. Xerox provides such services solely at the direction and under the supervision of its clients’ authorised legal counsel.