Employee error most likely cause of data breaches among in-house legal counsel, new report says

More than half of in-house legal counsel report that their companies are increasing spending on cybersecurity, while one-third state that their companies have experienced a data breach, according to a new report from the Washington, DC-based Association of Corporate Counsel (ACC) Foundation.

The ACC Foundation: The State of Cybersecurity Report, released on Thursday, also found that breaches were more than twice as likely at the largest companies and most likely to be the result of internal factors – employee error or an “inside job.” The report – underwritten by Ballad Spahr LLP, a law firm with more than 500 lawyers in 14 offices in the United States – provided insights on cybersecurity in the corporate sector from more than 1,000 in-house counsel at 887 organizations in 30 countries, including Canada. Seventy-seven per cent of respondents held the positions of general counsel (GC) or chief legal officer (CLO).

Among in-house counsel whose companies have experienced a data breach, 47% said the breach occurred recently, in 2015 or 2014. Data breaches were more common at large companies; 45% of in-house counsel working at companies with 5,000 or more employees said they work at or have worked at a company that experienced a breach.

When asked how the system was breached, 24% of respondents said it was due to employee error, 15% said “inside job,” phishing was 12%, access through a third party 12%, lost laptop/device 9%, application vulnerability 7%, malware 7%, ransomware (CryptoLocker) 1% and operating system vulnerability less than 1%.

Although employee error was the most common reason for a breach in all global regions except for Asia Pacific, fewer than half of in-house counsel reported that mandatory training exists at their companies, ACC – a global legal association representing more than 40,000 in-house counsel in 85 countries – said in a release. “Even fewer say that their corporations track or test employee knowledge, one finding demonstrating that that there is a wide disparity in how companies approach preparedness,” ACC said. “Regardless of method, however, 56% of GCs and CLOs stated that their companies are allocating more money to promote cybersecurity prevention than one year ago.” [click image below to enlarge]

“Even companies with established cybersecurity preparedness programs continue to increase their spending in order to minimize ever-present risk,” said Veta T. Richardson, ACC president and CEO, in the release. “Unfortunately, no sector or region is immune. Our findings indicate that general counsel expect cybersecurity risk to only increase in the upcoming year.”

Mirroring results from previous ACC research on cybersecurity, the report found that in-house counsel in the healthcare/social assistance industry are almost twice as likely (56% versus 31%) to report that they have experienced a data breach; with insurance industry in-house lawyers (36%) a distant second. Healthcare industry in-house lawyers are also most likely to say their companies have purchased cybersecurity insurance and have agreements in place with vendors requiring these third parties to notify them in the event of a breach, the release said. Among in-house lawyers whose companies have experienced a data breach, 19% said their cybersecurity insurance policy fully covered related damages.

The survey also looked at changes companies made following a breach, with 74% of respondents reporting that minimal, moderate or significant changes were made and 15% saying that no changes were made. Following a breach, or as a preventative measure, many companies turn to industry standards to incorporate cybersecurity best practices.

Other findings include:

• Worldwide, in-house counsel are most concerned with damage to reputation, loss of proprietary information and economic damage following a cyber breach. In Europe, the Middle East and Africa, and Asia Pacific, in-house counsel place greater emphasis on government/regulatory action than on economic damage;

• Less than two-thirds of GCs/CLOs report that third parties are required to notify them in the event that a breach occurs; and

• One-third of GCs/CLOs say that they have retained outside counsel to help should a cyber breach occur.