Linklaters and cyber-security – the prevention and the cure
Cyber-crime and the consequent need for cyber-security are facts of life in the modern commercial world. The Linklaters track record as advisors on mitigating cyber-risk and dealing with the consequences of such security breaches is a long and distinguished one.
We talk to London-based partners Georgie Kon and Tom Cassels about Linklaters’ approach to prevention and cure in the world of cyber-security.
"The publicity surrounding recent breaches has prompted something of an over-reaction at times, leading to a big spike in reported data breaches, not all of which were accurate."
Cyber-security incidents are on the rise all over the world; this is no longer new, sadly, but it is undoubtedly news when such incidents occur – of the front-page variety. Major names such as JPMorgan Chase, Uber, Yahoo and eBay have suffered at the hands of unscrupulous data thieves in recent times – the list will undoubtedly continue to grow and the need to be forearmed against these security breaches is more important than ever.
Law firms and their clients, natural targets for the cyber criminals by virtue of the vast amounts of data that they store, have not been immune from attack. It is natural, therefore, that the leading names of the legal profession have invested much time and effort to the cause of preparing themselves and their clients against risk as far as they possibly can. Among the clear market leaders in this field are Linklaters, who have been advising clients on privacy and cyber-security issues since the advent of data protection laws in Europe two decades ago.
"Some sectors of our client base always did take cyber-risk and privacy seriously," explains Georgie Kon, one of Linklaters' London-based experts in the field. "Big pharmaceutical companies and financial institutions were particularly sensitive about their IP and took early steps to guard their data. Others very clearly were not as up to speed as they should have been, but with the introduction of the EU General Data Protection Regulation (GDPR), we have seen far more willingness across the board to invest in cyber security. The stakes have been raised and this is no longer just a regulatory issue. Losing data is a really big deal; global reputations are at risk, to say nothing of the impact on senior management and share prices."
Linklaters global cyber-security network is a formidable one. The firm's wider network of privacy and cyber-security experts covers more than 100 countries but of equal importance is its long-established contact and familiarity with the European Commission, data protection regulators around the world and, in the UK, all the relevant Government departments. Clients have the best possible head start in assessing where their risk may lie and how to nullify it when Linklaters delivers its board-level scenario training and wider organisational advice.
A level-headed approach is critical both when Linklaters is preparing its clients for a security breach and, above all, when reacting to it. "The pendulum sometimes swings too much in the other direction, which is equally unhelpful," says Georgie Kon. "The publicity surrounding recent breaches has prompted something of an over-reaction at times, leading to a big spike in reported data breaches, not all of which were accurate. Establishing the facts must always be the first priority; it's not always easy and it's important not to commit one way or another too soon in your response."
Once a breach has been established, Linklaters' crisis management team, which crosses practice areas and jurisdictions across the firm, is ideally place to help clients deal with the repercussions. "We have a more streamlined approach to cyber-security now, working hand in hand with our crisis management team at large," says Georgie Kon. "It's more structured now." At this point, the litigation group also come to the fore, a team that often includes Tom Cassels, a London partner whose practice is notable for its focus on crisis management:
"The immediate priority is to identify what you know but also what don't you know," he begins. "Identifying the scale of the problem is crucial but sometimes people are panicking, worrying about the wrong thing and our job is to remain as clear and detached as possible. We have to be realistic as lawyers, constantly re-calibrate as new information arrives and then deal with each matter as it becomes clear."
With some data, including bank details, appearing on the dark web almost immediately, modern cyber breaches are rarely a small matter. "In managing these cases, those who have suffered a breach have at their disposal the fact that they are, after all, victims of a crime," Tom Cassels adds, "but you can't play the victim card too strongly if you are responsible for leaving the back door open. There is also a trade-off between the credit you gain for telling stakeholders early about a cyber breach – they seldom welcome being kept in the dark about it – and ensuring that what you say is accurate and you're not crying wolf. Within a couple of hours of the first hint of trouble, we will have assembled a team to make the right assessments, ascertain the facts and subsequently to assist with internal investigations, secure or recover data and so on."
Clients are certainly expected to learn from their experiences – second mistakes are rarely tolerated at the highest level. "We always tell clients that they need to put their experiences to good use," Georgie Kon agrees. "What are the steps that they need to take? Often it's as simple as retaining people with the relevant expertise to advise in a world where there is a huge market for those people." "I do think that companies are getting better at handling this sort of crisis," Tom Cassels suggests. "They no longer tend to field their own teams as a matter of course for crisis management but instead come to people like us, who have really earned their stripes. When you're debriefing clients after a crisis, you need to emphasise that the knowledge that they've acquired can't be restricted to those who directly experienced it. Governance systems also need to be changed, otherwise fingers will inevitably be pointed."
Linklaters' track record in advising against cyber-crime is unparalleled, spanning all sectors and continents. "It's the experience that sets us apart," argues Georgie Kon. "Our people have dealt with crises all over the place and we're genuinely multi-disciplinary and collaborative, internally and externally, in a way that very few other law firms can match. Add that to the fact that we work hand in hand with our clients every step of the way and are interested only in ensuring that the right thing is done and you have a powerful recipe for success."