In-House Counsel’s role in boosting cyber security in Australia is vital. Defining In-House Counsel’s role in cyber security for each organisation is vital. This ensures legal input can help shape the organisations policies and processes moving forward. In-House Counsel’s are not your security team. Learn more about their role in cyber security below from this Lawyers Weekly snapshot below.
THIS ARTICLE’S KEY TAKEAWAYS:
- In-House Counsel’s are not responsible for the implementation of technical standards to improve organisations cyber security posture. Rather their role is to monitor the legal risks and ensure that their organisation adheres to its legal obligations.
- In-House Counsel’s should determine cyber security obligations, ensuring organisations can practically adhere to them in their policies and processes.
- For organisations with an international presence, the complexity of compliance obligations increases, including complying with GDPR if based in Europe.
- In-House Counsel’s role is evolving to include a commercial perspective on law application and interpretation, which requires an international view on data management (e.g. overviewing cloud based data management).
In-House Counsel’s are not your security team
A Unisearch expert has underscored it is not up to in-house counsel to be the cyber security team but outlined how they could strengthen their organisation’s cyber security measures.
Lyria Bennett Moses, director at UNSW Allens Hub for Technology, Law and Innovation, said ahead of the Corporate Counsel Summit 2023 that it is not the role of in-house counsel to implement technical standards to improve their organisation’s cyber security posture.
Rather, the legal department could monitor the legal risks to ensure that their organisation complies with its legal obligations.
“Now, what those obligations are, is going to depend on the nature and size of the organisation,” she told Lawyers Weekly.
In-House Counsel’s determine cyber security obligations
For example, in-house counsel would have to determine whether the organisation is obligated to comply with the Security of Critical Infrastructure Act (SOCI Act) as this carries its own risk management requirements, and as such, be involved to ensure compliance with the legislation.
Small-to-medium enterprises (SME) will most likely have to comply with the Privacy Act both in terms of their day-to-day handling of data and designing their plan of action if and when a data breach occurs, and how they would comply with their obligations under the notification regime, Ms Bennett Moses said.
For organisations that have an international footprint along with an Australian presence, she said the complexity of compliance obligations would potentially increase.
“We did a research project looking at regulation in the cloud sector,” she explained.
“If you work with an international cloud service provider and look at how you store data securely and your compliance obligations, it’s basically everything. You have to comply with GDPR if you’ve got a European base, along with complying with Australian laws.”
Alongside this, law departments must also be cognisant of state law if their customers are state governments, Ms Bennett Moses said.
“In some cases, not only do you have to comply with the legislation, but also separate procurement obligations that sit inside the government, often with different requirements from those governments’ own legislation,” she mused.
“If you want them to have government departments as your customers, you not only have to comply with the law, you have to comply with the separately worded obligations. That means a lot of organisations often have to do the same thing, but comply with 15 differently worded obligations relating to that thing.”
She also noted that one of the attractive features of the review of the Privacy Act is the idea of increased coordination and alignment between state and federal privacy legislation, which could reduce compliance burden.
Ms Bennett Moses’ comments preceded the Corporate Counsel Summit 2023 in May, where she and a panel of speakers will discuss what sector-specific cyber security obligations organisations need to be aware of, how to avoid contravening privacy laws, and how in-house counsel could collaborate with other departments in their business to improve cyber security measures.
Applying the law to your organisation
Joining her on the panel is Tala Bennett, partner and general counsel at Deloitte Australia, who told Lawyers Weekly that the function of in-house counsel is evolving to one that requires them to have a commercial lens on the application of the law.
“The legal team has to be across the legislative piece, but a broader role is to help craft their organisation’s policies and processes because you need to make it practical and applicable for your business,” she said.
“Taking the law and interpreting it properly so that it’s appropriate for your particular organisation is a key part of what we do. You have to be able to apply it to your own organisation, depending on the industry you’re in. That’s your job.”
Ms Bennett also encouraged law departments to look at international legislation around privacy, particularly regionally as well as in Europe.
Understanding international privacy laws
Having this international lens is important for organisations such as Deloitte, which has a global presence, she said.
“As we’re dealing with data going in and out of the country, especially as more organisations are offshoring services as well, it’s very important to have that international lens,” Ms Bennett said.
“The international legislative landscape is just one extra layer that needs to be understood. It can also be useful to understand what’s going on overseas because you can see what doesn’t work and what might be implemented going forward.”
To hear more from Lyria Bennett Moses and Tala Bennett about the role of in-house counsel in beefing up their organisations’ cyber security measures, come along to the 2023 Corporate Counsel Summit 2023.
About Greenfields Recruitment & Search
GREENFIELDS RECRUITMENT & SEARCH is a specialist in Head of Legal Executive Search, In-House Legal Counsel Executive Search, General Counsel Executive Search, Company Secretary Executive Search and Corporate Governance Executive Search & Recruitment firm.
We connect company secretary leaders with organisations who require company secretary services. Partnering with a diverse range of clients, from ASX listed organisations, non-listed organisations, multinationals, boutiques and not-for-profits across all industry sectors. Learn more about us here.