Heat, friction and violent collision – GCs face challenge and opportunity on data security

PwC Legal’s Stewart Room warns that emerging regimes on data protection and cyber security will present new challenges for GCs.

If you’re observing the developing legal environment for cyber security and data protection and just happen to have an interest in star-gazing, you might have an image of a planetary nebula in your mind’s eye, the universal womb and nursery for new planets and stars.

If you’ve started to run with this metaphor, you might also be picturing illustrations depicting the death of the dinosaurs popular in schoolbooks, museums and news reports: a variety of dinosaurs peacefully munching on vegetation, or each other, all with one eye looking quizzically skywards to a huge meteor burning through the atmosphere, oblivious to the fact that it will soon deliver their oblivion.

The developing legal environment for cyber security and data protection is one of heat and friction, where there will be regular, violent collisions between entities, people, regulators and judges, with many casualties along the way and it will be many years before there is stability in the environment that we can rely upon.

The big headlines are that Europe is very close to delivering us a new data protection regime (GDPR) and a new cyber security regime (NIS Directive); the courts have been up-ending established views and norms on cyber security and data protection; and citizens are becoming more savvy about issues and rights.

The in-house lawyer sits in here somewhere, but it’s not always clear where, or what role they will play. I expect that some will play the dinosaur role, some the asteroid, but some will be the new stars. There are a set of characteristics for each role.

A common phenomenon that is exposed in the aftermath of a security breach is the appearance of the ‘told you so’ person. Back-covering is to be expected when the balloon goes up, so you would expect these individuals to surface. Another phenomenon is the ‘smoking gun’; those pieces of clear evidence that scream out from the past. Human nature being what it is, it won’t take a genius to work out that as people sit in the incident response room, or around the board table, some will be thinking to themselves: ‘who’s fault is this?’ or, ‘who can we blame?’

One of the candidates for blame is the lawyer, but don’t fret about being singled out. Everyone’s in the frame at the beginning. If we play this forward to the inevitable future of cyber security and data protection law, which is only a couple of short years away, entities and their lawyers will be operating in a universe of heightened transparency after failure (we call this compulsory breach disclosure) which will create a flood of complaints, disputes and litigation. The dinosaur then will be the lawyer who fails to take action now to encourage their entities down the right path.

The asteroids are already forming in this planetary nebula too. There are lots of them about. You see them all the time in the aftermath of a serious incident, taking control, making things up as they go along, playing the hero, causing havoc and mayhem. When a lawyer plays this role, it can have chilling consequences.

Sometimes you see a bizarre hybrid, a person who is both an asteroid and a dinosaur. This person will not take advice, because they feel they do not need to be advised. This kind of person is generally revealed in an interaction between persons of the same professional discipline or expertise, but not interactions between persons of different disciplines or expertise. If the in-house security expert meets the external security expert and it is immediately frosty but they are all charm and lightness when they engage with the external lawyer, then we have the makings of the dinosaur-asteroid. They can cause havoc not just for those around them, but for themselves too. I’m sure many lawyers will have seen that frost set in during professional engagements between lawyers who are meant to be on the same side. I certainly have.

What we really want is the lawyer who is the star. That’s the opportunity that the developing legal environment for cyber security and data protection now presents for the in-house lawyer who recognises what is going on and where we are heading. Legal experts with foresight and vision to advise, guide and lead, who are confident enough in their own skins to understand the need also to listen, to take advice from and to follow other experts are the ones who will have the most positive impact in what promises to be turbulent times ahead.

Stewart Room is global head of cyber security and data protection at PwC Legal