One-Third of In-House Counsel Have Experienced a Corporate Data Breach, ACC Report Shows

Topics: Corporate Legal, Cybersecurity, Surveys


According to a new report, ACC Foundation: The State of Cybersecurity Report, more than half of in-house counsel report that their companies are increasing spending on cybersecurity, while one-third have said their companies have experienced a data breach.

The new report was released Wednesday by the Association of Corporate Counsel (ACC) Foundation, which supports the mission of ACC, a global legal association representing more than 40,000 in-house counsel in 85 countries. The report, which is the largest study of in-house counsel on the subject of cybersecurity, also found that breaches were more than twice as likely at the largest companies and most likely to be the result of internal factors — employee error or an inside job.

The report, underwritten by Ballard Spahr LLP, provides insights on cybersecurity in the corporate sector from more than 1,000 in-house counsel at 887 organizations in 30 countries, including 77% who hold the positions of general counsel (GC) or chief legal officer (CLO). Among this constituency, 50% want to increase their role and responsibility regarding cybersecurity, while 57% expect that the law department’s role in cyber matters will increase in the coming year.

“After years of high-profile data breaches, most companies are rightly focused on cybersecurity,” said Philip N. Yannella, a leader of Ballard Spahr’s Privacy and Data Security Group. “General Counsel and CLOs clearly understand the need to put into place appropriate protocols to protect against cyber threats and to respond quickly to those threats.”

Among in-house counsel whose companies have experienced a data breach, 47% said the breach occurred recently, in 2015 or 2014. Data breaches were more common at large companies; 45% of in-house counsel working at companies with 5,000 or more employees said they work at or have worked at a company that experienced a breach. The survey also looked at changes companies made following a breach, with 74% of respondents reporting that minimal, moderate or significant changes were made and 15% saying that no changes were made.

“In-house counsel operate at the intersection of complex legal and business challenges facing companies today,” said Veta T. Richardson, ACC president and CEO. “Therefore, it is not surprising to see that GCs and CLOs are playing an increasingly active role in cybersecurity strategy, risk assessment and prevention.”

Other significant findings in the report include:

  • Among in-house lawyers whose companies have experienced a data breach, 19% say their cybersecurity insurance policy fully covered related damages;
  • Worldwide, in-house counsel are most concerned with damage to reputation, loss of proprietary information and economic damage following a cyber breach. In EMEA and Asia Pacific, in-house counsel place greater emphasis on government/regulatory action than on economic damage;
  • Less than two-thirds of GCs/CLOs report that third parties are required to notify them in the event that a breach occurs;
  • One-third of GCs/CLOs say that they have retained outside counsel to help should a cyber breach occur; and
  • Corporate lawyers in the retail industry are most likely to report that they proactively collaborate with law enforcement or other government agencies to address cybersecurity risks.