The role of in-house counsel in boosting cyber security
A Unisearch expert has underscored it is not up to in-house counsel to be the cyber security team but outlined how they could strengthen their organisation’s cyber security measures.
Lyria Bennett Moses, director at UNSW Allens Hub for Technology, Law and Innovation, said ahead of the Corporate Counsel Summit 2023 that it is not the role of in-house counsel to implement technical standards to improve their organisation’s cyber security posture.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Rather, the legal department could monitor the legal risks to ensure that their organisation complies with its legal obligations.
“Now, what those obligations are, is going to depend on the nature and size of the organisation,” she told Lawyers Weekly.
For example, in-house counsel would have to determine whether the organisation is obligated to comply with the Security of Critical Infrastructure Act (SOCI Act) as this carries its own risk management requirements, and as such, be involved to ensure compliance with the legislation.
Small-to-medium enterprises (SME) will most likely have to comply with the Privacy Act both in terms of their day-to-day handling of data and designing their plan of action if and when a data breach occurs, and how they would comply with their obligations under the notification regime, Ms Bennett Moses said.
For organisations that have an international footprint along with an Australian presence, she said the complexity of compliance obligations would potentially increase.
“We did a research project looking at regulation in the cloud sector,” she explained.
“If you work with an international cloud service provider and look at how you store data securely and your compliance obligations, it’s basically everything. You have to comply with GDPR if you’ve got a European base, along with complying with Australian laws.”
Alongside this, law departments must also be cognisant of state law if their customers are state governments, Ms Bennett Moses said.
“In some cases, not only do you have to comply with the legislation, but also separate procurement obligations that sit inside the government, often with different requirements from those governments’ own legislation,” she mused.
“If you want them to have government departments as your customers, you not only have to comply with the law, you have to comply with the separately worded obligations. That means a lot of organisations often have to do the same thing, but comply with 15 differently worded obligations relating to that thing.”
She also noted that one of the attractive features of the review of the Privacy Act is the idea of increased coordination and alignment between state and federal privacy legislation, which could reduce compliance burden.
Ms Bennett Moses’ comments preceded the Corporate Counsel Summit 2023 in May, where she and a panel of speakers will discuss what sector-specific cyber security obligations organisations need to be aware of, how to avoid contravening privacy laws, and how in-house counsel could collaborate with other departments in their business to improve cyber security measures.
Joining her on the panel is Tala Bennett, partner and general counsel at Deloitte Australia, who told Lawyers Weekly that the function of in-house counsel is evolving to one that requires them to have a commercial lens on the application of the law.
“The legal team has to be across the legislative piece, but a broader role is to help craft their organisation’s policies and processes because you need to make it practical and applicable for your business,” she said.
“Taking the law and interpreting it properly so that it’s appropriate for your particular organisation is a key part of what we do. You have to be able to apply it to your own organisation, depending on the industry you’re in. That’s your job.”
Ms Bennett also encouraged law departments to look at international legislation around privacy, particularly regionally as well as in Europe.
Having this international lens is important for organisations such as Deloitte, which has a global presence, she said.
“As we’re dealing with data going in and out of the country, especially as more organisations are offshoring services as well, it’s very important to have that international lens,” Ms Bennett said.
“The international legislative landscape is just one extra layer that needs to be understood. It can also be useful to understand what’s going on overseas because you can see what doesn’t work and what might be implemented going forward.”
To hear more from Lyria Bennett Moses and Tala Bennett about the role of in-house counsel in beefing up their organisations’ cyber security measures, come along to the 2023 Corporate Counsel Summit 2023.
It will be held on Thursday, 25 May, at Sofitel Sydney Wentworth.