Saturday, July 30, 2011

Legal Risk: General Counsel Digital Leadership...

Operational Risks continue to plague any senior manager with the title of "Corporate General Counsel". "Achieving a Defensible Standard of Care" remains ever so challenging. General Counsel digital leadership is required by the Board of Directors. A recent Corporate Executive Board Report outlined some of their top line issues in a recent Corporate Counsel article by Catherine Dunn:

1. Regulatory issues will converge, while regulation of issues will fragment.

What it means: Common issues—such as data privacy, executive compensation, anti-bribery, and antitrust—are gaining importance in the eyes of regulators the world over, says Lee. But countries and states are regulating those issues in different ways, which makes it more difficult for companies—and in-house legal teams—to harmonize their policies.

2. Information will grow exponentially.

What it means: E-discovery requests are getting bigger (think terabytes, not gigabytes) and the quality of meta-data that could be subpoenaed is getting better (like someone's location, as identified by GPS technology). As more and more information comes into play, the study finds, it "will increase the premium of how companies organize and manage their information."

3. Dueling demands for corporate transparency and consumer privacy will collide.

What it means: Consumer demands for privacy will place more emphasis on data security and how companies shore up their IT infrastructure. "The end result for legal departments is that, at the very least, they're going to need to become more [technologically] literate," says Lee. And again, legal teams will also have to deal with a variable set of regulations, depending on where companies operate.

While consumers want to protect their own information, they also want to to have more information about corporations, information about executive compensation packages, private conversations between executives, and company investments.

4. The legal department's center of gravity will shift.

What it means: As companies expand into emerging markets to capitalize on growth opportunities, risks will follow. "It's going to be more important for those risks to be managed locally," Lee says. The report hypothesizes, then, that in-house legal teams will become more decentralized, decamping from corporate headquarters for local terrain. "Culture is an often-underestimated factor with regard to risk," Lee adds. Seeing as how different countries identify, report, and react to misconduct in different ways, that will also add to the need for on-site legal teams.

Another facet of this shift is that in-house lawyers will take on additional responsibilities—such as auditing and keeping an eye on corporate integrity and employee behavior.

5. The legal services market will mature.

What it means: If five to 10 years ago companies wondered which law firm to partner with, today it's not just traditional firms that are competing for the work, Lee says. Legal- and business-processes outsourcers are "very good for discrete pieces of work," such as discovery and document review, he says, and that could "rival or surpass the quality of law firms."


How fast is fast enough these days to provide your members or customers notice that their bank account has been hacked and money has been transfered to transnational criminal syndicates across the globe? Six hours is too long according to this latest suit against Comerica Bank in Michigan, USA:

It started with a simple e-mail that landed in the inbox of Experi-Metal Inc.'s controller, Keith Maslowski, in January 2009. The message appeared to come from the company's bank, and Maslowski followed the directions to click on a link and enter confidential log-in data and other codes as part of routine maintenance. The details are laid out in a lawsuit that the small metal shop in Sterling Heights, Michigan, filed against Comerica. Scam artists used Maslow­ski's codes to initiate more than 85 wire transfers, moving $1.9 million out of the company's account to China, Estonia, Finland, Russia, and Scotland.

It took the bank only six hours to spot the unusual activity, notify the customer, and stop the transfers. But it wasn't good enough for the federal judge. Court documents show that the company had only two prior transfers in two years. On June 13 U.S. district court judge Patrick Duggan in Detroit ruled that Comerica was responsible for the $560,000 that remained unrecovered because the bank didn't act "in good faith." The judge ruled that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."


Yet another example of the Operational Risks that require more preventive measures for the savvy "General Counsel" (GC) of 2011 and beyond. To what degree are there other "Tripwires" in place for the GC to become a nerve center for detecting those incidents and behavior that is strange or not normal. After all, you can't be everywhere and no one can effectively work 24 x 7. So there remains only one answer. Automation working with Operational Risk experts.

How do the programmers know how many transfers are out of a normal range? In the case of Comerica, Judge Duggan ruled that six hours was too long to stop the fraudulent transfers. You see, the risk for establishing the right business rules can't lie completely with anyone who is doing the programming. Business management, consumers and risk management experts all need to be in the process of developing the triggers and alerts that allow faster response on incidents such as this one.

The number of data breaches and other cyber criminal activities will continue to rise as long as the General Counsel remains aloof or segmented from the departments and business units that can establish effective automated "Trip Wires" to get notified when something is "Not Normal".

Here are just few of the larger and most reported incidents in 2011 according to Law.com:

2011
April 1: Epsilon Inc., the world's largest e-mail marketer, reveals an unauthorized entry into Epsilon's e-mail system, exposing customer names and e-mail addresses.

April 26: Sony Network Entertainment America and Sony Computer Entertainment America disclose a "carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information." The intruders stole identity data from about 77 million PlayStation Network and Qriocity customer accounts.

May 10: Citigroup Inc. discovers a breach exposing more than 360,000 customer names, account numbers, and contact information. Citigroup waits almost a month before notifying its customers, and later says $2.7 million was stolen.

May 24: The Los Angeles Times reports that a Bank of America Corporation insider leaked detailed customer data to a ring of identity thieves resulting in $10 million in losses. The bank later confirmed the loss, which occurred sometime last year but came to light only recently, when the bank began informing customers.

June 15: Automatic Data Processing Inc., the world's largest payroll processor, says personal data of one of its 550,000 corporate clients was breached. It ­provided no details.


So what is the answer for the General Counsel? The "Plan-Do-Check-Act" lifecycle applies to the GC just as others in the corporate enterprise. Information Governance is no different for the legal department than it is for the CIO. The problem is, how much are both working in concert so that the holders and managers of digital information are working side by side the legal eagles of the company? Not enough in a world where transnational criminals, advanced persistent threat and insiders are testing your controls and the latency of your alert mechanisms on a daily basis.

The companies plagued with the incidents highlighted in the popular press are working hard to prevent the vulnerabilities exploited by those tasked with finding them. They have invested millions of dollars in technology and sophisticated tools for detection and defense. In todays world of 4 Billion devices connected to wireless networks and ultimately the Internet; working hard just will not suffice anymore.

The General Counsel working in concert with the Chief Information Security Officer (CISO), Chief Information Officer (CIO) and even the Chief Security Officer (CSO) along with outside contract consultants typically defines who is responsible for the ongoing defense of the corporate enterprise. The question now remains; "What is the single Management System that they are all using to manage risk in the organization?" Unfortunately, the answer may be that they are not using the same management system. When your organization has not agreed upon a single management system for risk management then there is no wonder that you have opened yourself up to the possibility of failure. Utilizing a single international standard such as ISO 27001: 2005 could be the beginning of a unified effort by the entire stakeholder community in your organization.

Certifying your Information Security Management System against ISO/IEC 27001 can bring the following benefits to your organization:

  • Demonstrates the independent assurance of your internal controls and meets corporate governance and business continuity requirements
  • Independently demonstrates that applicable laws and regulations are observed
  • Provides a competitive edge by meeting contractual requirements and demonstrating to your customers that the security of their information is paramount
  • Independently verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation
  • Proves your senior management’s commitment to the security of its information
  • The regular assessment process helps you to continually monitor your performance and improve