Dan Silver and Megan Gordon, partners with Clifford Chance, discuss the firm’s cross-border, cross-practice approach to handling cybersecurity and dataprivacy issues.
CCBJ: What kinds of cyber issues have you been seeing with your clients lately, particularly U.S. clients? And where does the new Clifford Chance Cyber Assist app fit into that picture?
Dan Silver: Since I joined Clifford Chance from the Justice Department almost three years ago, cybersecurity and data privacy have risen in prominence and are now essential components of business operations, while also posing increasing risks to companies doing business in the U.S. and abroad. That said, a major challenge in this area remains that it’s relatively new to lawyers. Many corporations haven’t developed the extensive internal structures necessary to deal with these issues. In a basic sense, the Cyber Assist app is designed to help by making these issues more accessible and manageable for our clients.
Megan Gordon: When we think about today’s cybersecurity environment, companies and firms need to act extremely quickly in the face of any sort of data breach – and because of the nature of data, breaches are almost always going to be cross-border in scope. That’s really the genesis of the app. It’s a convenient resource to learn about high-level cybersecurity requirements across jurisdictions, and it provides a starting point on where to begin when a data breach occurs, so that they can take action quickly.
Can you tell us a bit about the app itself?
Silver: The app is offered free of charge to our clients but is not publicly available. It provides a survey of a dozen or so key jurisdictions, with synopses of their individual cybersecurity regulations. So, if you work for a multinational company based in New York, and an issue crosses your desk that originated in Singapore, you can use the app to quickly get the basic regulatory landscape for cybersecurity in Singapore. This is a very powerful feature of Cyber Assist.
The app also keeps track of the latest news and developments in the cyber and data arenas globally. When we put out client briefings or other kinds of thought leadership, those are included on the app to provide the firm's deeper expertise on what companies need to know as regulatory regimes continue to develop.
What’s the profile of a typical user?
Silver: The app is geared to an internal legal audience – really anyone with some involvement with cybersecurity issues, but usually the chief privacy officer or someone in the general counsel’s office. It is worth noting that the app is relevant to users in different sectors, not just corporates or financial institutions, but across our entire client base.
You can check the app and really get a sense of what the most recent cybersecurity developments are, globally.
How does the app fit into Clifford Chance’s broader strategy in the technology sector?
Gordon: Our Tech Group is fully integrated with our Cybersecurity and Data Privacy Group; both are cross-practice and cross-border. The app is focused on what companies are going to need as we continue in the Fourth Industrial Revolution and enter the Fifth Industrial Revolution, which is very much data-driven, so there are multiple connections across these groups.
Both teams get involved in the development of new tech products and in advising our clients on what to do with their data. On top of that, cybersecurity has become a huge factor in determining the value of a company, in terms of what issues it might have and how they might affect the valuation going forward, so cyber is now a significant facet of M&A transactions. These are relatively new issues for companies, and the stakes are very high.
More generally, a central goal of our tech strategy is to eliminate the traditional boundaries of practice areas and jurisdictions. Data doesn’t stop at the border, and neither does our practice. The Cyber Assist app fits right in and really shows the firm's commitment to delivering cutting-edge products and services.
Jonathan Kewley, who co-heads Clifford Chance’s Tech Group, said, “Cyberattacks are on the agenda of every government, board and lawmaker globally.” How did we get here, and what are the implications for outside firms in helping clients navigate the issues?
Silver: If you turned back the clock five years or so, you would find that in-house lawyers were not as focused on cybersecurity and data privacy. Those were matters that the IT team typically dealt with; they were not necessarily viewed as a legal risk, nor were they considered board-level issues. But that’s all changed because of the massive data breaches and other privacy-related scandals we've seen covered in the media during the past several years. Everyone agrees that cyber is a complicated and rapidly developing area; the issues are not going away, they are not just technical problems and they carry real risk. Regulators have become much more aggressive as well, which of course magnifies everything.
This all translates to a direct need for external legal advice, both in terms of being prepared when an incident occurs – so regulators are less likely to find fault after the fact – and in terms of developing internal policies and procedures that may prevent those incidents in the first place. Companies need help with these legal and risk-management questions.
Data doesn’t stop at the border, and our practice doesn’t stop at the border either.
Gordon: Cyber is really one of the most interesting legal issues that we work on. While data itself is by nature cross-border, the regulations and notification requirements governing a response to a breach are driven by the laws of the different countries involved. Beyond U.S. regulatory regimes, you have the General Data Protection Regulation (GDPR) in the EU as well as regulations in Singapore, Hong Kong and other international business centers worldwide – each of which must be dealt with quickly in the event of a breach. There are potentially very serious consequences if you don’t meet the notification requirements, especially under the GDPR.
The U.S. is one of the most complicated jurisdictions, with 50 state regulators as well as the federal regulators, and with companies facing regulatory fines as well as potential litigation and reputational damage that can happen overnight. We've already seen this with Yahoo and Facebook, as just two examples.
Can companies use the Cyber Assist app in these contexts, let's say to improve a regulator's perception of their compliance programs?
Gordon: Companies should use the app as a reference point, to get an idea of some of the jurisdictions they might be asked questions about, especially if they have a large amount of data or key operations in those jurisdictions. If they’re considering an M&A transaction, for instance, the app can help them identify potential issues in the jurisdiction where the target company is located. It is not a replacement for a lawyer but rather a tool that adds value to our firm's services.
Silver: Exactly. And as far as perception goes, the government is looking for cooperation from the private sector and encourages companies to report incidents. We help clients work with the FBI or report cybercrime incidents to the Department of Justice, not only navigating risks but also mitigating them in terms of being held accountable for cybersecurity failures. No app can do that, but Cyber Assist is designed to be a helpful starting place and a resource for companies looking to understand the regulatory requirements and abide by them.
Megan Gordon co-heads Clifford Chance's U.S. cybersecurity and data privacy group and is a leading member of the firm's global tech group. Reach her at Megan.Gordon@CliffordChance.com.
Daniel Silver co-heads Clifford Chance’s U.S. cybersecurity and data privacy group. Reach him at Daniel.Silver@CliffordChance.com.
Published January 3, 2019.