Rachael Falk, a legal counsel in Telstra’s dispute resolution group, said that no matter how confident IT service providers sound about the security of a company’s data, lawyers must be aware of where it is going and what is being done with it.

“There are people all over the world including here [whose lives are] about data mining and pulling identity,” said Falk, adding that failure to know the details of contracts with offshore vendors could lead lawyers into sticky situations.

“It means that when you have a data security breach [and] you’re trying to explain [it] to your CEO and board, or regulators and the media … all you can say is, ‘I know it’s been in 48 countries and there’s been 203,000 hits’, but you can’t take it further.

“You know, to some degree, there hasn’t been a malicious hit, because they can do all sorts of manipulation with the data, but it’s embarrassing. You’ve lost the trust of your customers.”

Falk said in-house lawyers must have knowledge of “locked-in rights” about security, encryption and data logging, as well as what protections cloud providers have and what happens in a crisis management situation.

“Have you got step-in rights? Have you got indemnities? It’s a veritable shopping list of [issues] …” said Falk.

Stan Gallo, the director of KPMG Forensic and an ex-undercover police computer expert, said “jurisdictional issues” are another matter in-house counsel should consider when choosing IT support services.

“If their server’s hosted in the US, there’s a whole different set of bylaws than if it’s hosted in the EU,” he said. “Places like Amsterdam or China, where you’ve got government firewalls … have a different approach.”

Tradeable audiences

The information age is driving economic growth while simultaneously throwing up a raft of risks.

Jenny Duxbury, general counsel of ninemsn, explained how online behavioural data collection and personalised advertising is critical to organisations like ninemsn, Google and Facebook, whose models are almost entirely advertising based.

Online behavioural data collection involves making anonymous and aggregating an internet user’s information, including their browsing habits, transaction history and things they ‘like’ or are interested in on social media.

“We are moving to an environment where this kind of data will be a tradeable commodity. Advertisers will be buying specific kinds of audiences in the future,” said Duxbury.

But it’s not all doom and gloom. Some targeted advertising can help tailor products and services to consumer needs. However, as Gallo explained, there are risks if that information is misused, or if security is breached.

“Huge repositories of information about users … are being targeted by unscrupulous people … They can be used to defraud superannuation funds, but it’s not just about money,” said Gallo.

“A lot of the time, it’s corporate data-based IP disputes … It’s as simple as an employee that leaves an organisation [sticking] their USB in and copying a range of information.”

Gallo said he has seen such cases of “simple theft” go from half-a-dozen cases a year to two cases a week in recent times.

"It’s just taken off. IP is a whole area now being refocused on in terms of in-house counsel,” he said.

A 2011 Senate Committee report into online privacy recommended Australia introduce a “do-not-track” model, whereby companies must provide mechanisms to allow individual users to opt out of having their personal information collected.

Businesses may also need to tighten their measures in order to comply with a stricter proposed right of privacy, following the News of the World phone-hacking scandal.

The law reform would mean individuals can sue other individuals or companies when they have experienced a serious invasion of privacy, explained Duxbury.

“It’s controversial. It’s a very broad-based right and it could cover all sorts of things … For example, [it could apply] if one of your friends posts a photo of you, taken in private which you were unaware of, online,” she said, adding that ninemsn is concerned the reforms may make publishers liable for user-generated content that is posted on their websites, which is invasive of someone’s privacy, “even if they didn’t know that was the case”.