Most recently, Optus has been hit with a lawsuit following its data breach in 2022, and Medibank is currently the subject of an OAIC investigation after its own data hack in 2022. Following these – and other – data breaches, the importance of robust cyber security practices has become vital, with one cyber security expert arguing that in-house counsel should be the first point of call in an organisation after a data breach.

So, as cyber security remains a key issue for Australian organisations in 2024, is the demand for data security and privacy contract lawyers decreasing in favour of expertise from external providers?

G2 Legal Australia director Daniel Stirling said that in-house legal departments are certainly adapting their recruitment needs and either hiring lawyers with data security skills or upskilling their current teams.

“Given the high-profile cyber attacks and data breaches in Australia and globally in recent years, data security and privacy have become front and centre when assessing an organisation’s biggest risks. The legal department plays a key role in protecting the business, so it’s no surprise that there has been a big focus in this area, both from the perspective of upskilling GCs and current in-house counsel as well as when looking at new hires. I have also seen some organisations merge legal and security departments, with the GC having responsibility for both areas,” he said.

“In regard to new hires, these skills are key when shortlisting candidates for many in-house roles, though I have generally seen this as a key part of a broader corporate or tech role rather than a pure data/privacy role. Though these do exist in some larger teams and are likely to become more common as these issues become even more critical.”

Despite heightened awareness around data security and privacy, however, Carlyle Kingswood Global legal and governance and in-house director Phillip Hunter argued that there “hasn’t been a significant shift in demand for in-house data security and privacy contract lawyers”.

“Typically, these responsibilities are integrated into broader roles or distributed among staff members, particularly in medium-sized organisations. In larger organisations, such as Meta, Google, and CBA, a dedicated privacy or data lead – and sometimes entire teams – manages these functions. This sector remains stable with minimal fluctuation,” he said.

VIEW ALL

“When organisations opt for external expertise, it is often because they lack the continuous need for specialised data security and privacy services internally. This trend is more pronounced in industries with limited consumer interaction. Despite the increased regulatory focus and awareness driven by data breaches, many companies still operate under the assumption that severe incidents are unlikely to affect them.

“Consequently, they implement basic compliance measures and designate a point of contact within their legal team for potential issues, calling in experts only when problems arise.”

And while in-house legal teams will continue to prioritise recruiting lawyers with experience in data protection and privacy, Hunter noted he hasn’t seen “specific retention strategies tailored to data security and privacy professionals”.

“The emergence of new roles or specialisations in response to this trend has also been minimal. Some lawyers are pursuing additional studies to broaden their skill sets, akin to obtaining governance and company secretary qualifications. Allowing lawyers to handle privacy and data matters can also serve as a retention strategy by supporting their upskilling journey,” he said.

“To remain competitive, candidates should stay current with developments in data security and privacy through CPD courses and certifications such as the Privacy in Practice course by the OAIC and IAPP’s CIPP and CIPM. Soft skills like communication and adaptability are equally crucial in this dynamic field. Professional development opportunities through organisations like IAPP are highly recommended.”

Gaining experience in these areas will be key for in-house lawyers – even if their organisations are utilising external providers for advice.

“I have observed that data and privacy experience is a more common requirement within in-house contract roles in recent times. Generally speaking, these areas have formed part of a broader corporate, commercial or technology legal role rather than being solely focused on data/privacy. These skills are becoming more critical within in-house teams and organisations due to the increase in cyber attacks and data breaches and to ensure companies are compliant with increased regulation in this area,” Stirling said.

“I feel that in-house lawyers across any area should look to increase their skill set in this area. Even if companies rely more on external expertise, it is critical that the GC and in-house team have a good understanding [so] that they can advise the business and work with any external providers. It is also likely to increase your marketability for future career progression, whether internally or externally.”

Lawyers Weekly will host its inaugural Partner Summit on Thursday, 20 June 2024, at The Star, Sydney, at which speakers will address the range of opportunities and challenges for partners and partner equivalents, provide tips on how they can better approach their practice and team management, and propel their businesses towards success. Click here to book your tickets – don’t miss out! For more information, including agenda and speakers, click here.