About ACC

One-Third of In-house Counsel Have Experienced a Corporate Data Breach, ACC Foundation: The State of Cybersecurity Report Finds


Dec 9, 2015

WASHINGTON (December 9, 2015) –– More than half of in-house counsel report that their companies are increasing spending on cybersecurity, while one-third state that their companies have experienced a data breach, according to the ACC Foundation: The State of Cybersecurity Report, released today by the Association of Corporate Counsel (ACC) Foundation, which supports the mission of ACC, a global legal association representing more than 40,000 in-house counsel in 85 countries. The report, which is the largest study of in-house counsel on the subject of cybersecurity, also found that breaches were more than twice as likely at the largest companies and most likely to be the result of internal factors – employee error or an inside job.

The ACC Foundation: The State of Cybersecurity Report, underwritten by Ballard Spahr LLP, provides insights on cybersecurity in the corporate sector from more than 1,000 in-house counsel at 887 organizations in 30 countries, including 77 percent who hold the positions of general counsel (GC) or chief legal officer (CLO). Among this constituency, 50 percent want to increase their role and responsibility regarding cybersecurity, while 57 percent expect that the law department's role in cyber matters will increase in the coming year.

"After years of high-profile data breaches, most companies are rightly focused on cybersecurity," said Philip N. Yannella, a leader of Ballard Spahr's Privacy and Data Security Group. "General Counsel and CLOs clearly understand the need to put into place appropriate protocols to protect against cyber threats and to respond quickly to those threats."

Among in-house counsel whose companies have experienced a data breach, 47 percent said the breach occurred recently, in 2015 or 2014. Data breaches were more common at large companies; 45 percent of in-house counsel working at companies with 5,000 or more employees said they work at or have worked at a company that experienced a breach. The survey also looked at changes companies made following a breach, with 74 percent of respondents reporting that minimal, moderate or significant changes were made and 15 percent saying that no changes were made. Following a breach, or as a preventative measure, many companies turn to industry standards to incorporate cybersecurity best practices. In-house counsel were most likely to report following standards issued by the National Institute of Standards and Technology (NIST) and Statement on Standards for Attestation Engagements (SSAE) in the United States, while International Standardization Organization (ISO) standards were more common in Canada, EMEA (Europe, the Middle East and Africa) and Asia Pacific.Graph_How did you learn of a breach

"In-house counsel operate at the intersection of complex legal and business challenges facing companies today," said Veta T. Richardson, ACC president and CEO. "Therefore, it is not surprising to see that GCs and CLOs are playing an increasingly active role in cybersecurity strategy, risk assessment and prevention."

Mirroring results from previous ACC research on cybersecurity, the ACC Foundation: The State of Cybersecurity Report found that in-house counsel in the healthcare/social assistance industry are almost twice as likely (56 percent versus 31 percent) to report that they have experienced a data breach; with insurance industry in-house lawyers (36 percent) a distant second. Healthcare industry in-house lawyers are also most likely to say their companies have purchased cybersecurity insurance and have agreements in place with vendors requiring these third parties to notify them in the event of a breach. Across all industries, only 7 percent of in-house counsel have the highest degree of confidence that their third-party affiliates protect them from cybersecurity risks. A majority, 60 percent, are somewhat confident.

Graph_How was the system breached

Although employee error is the most common reason for a breach in all global regions except for Asia Pacific, fewer than half of in-house counsel reported that mandatory training exists at their companies. Even fewer say that their corporations track or test employee knowledge, one finding demonstrating that that there is a wide disparity in how companies approach preparedness. Regardless of method, however, 56 percent of GCs and CLOs stated that their companies are allocating more money to promote cybersecurity prevention than one year ago.

"Even companies with established cybersecurity preparedness programs continue to increase their spending in order to minimize ever-present risk," Richardson said. "Unfortunately, no sector or region is immune. Our findings indicate that general counsel expect cybersecurity risk to only increase in the upcoming year."

Other significant ACC Foundation: The State of Cybersecurity Report findings include:

  • Among in-house lawyers whose companies have experienced a data breach, 19 percent say their cybersecurity insurance policy fully covered related damages.
  • Worldwide, in-house counsel are most concerned with damage to reputation, loss of proprietary information and economic damage following a cyber breach. In EMEA and Asia Pacific, in-house counsel place greater emphasis on government/regulatory action than on economic damage.
  • Less than two-thirds of GCs/CLOs report that third parties are required to notify them in the event that a breach occurs.
  • One-third of GCs/CLOs say that they have retained outside counsel to help should a cyber breach occur.
  • Corporate lawyers in the retail industry are most likely to report that they proactively collaborate with law enforcement or other government agencies to address cybersecurity risks.

For more information on the ACC Foundation: The State of Cybersecurity Report, including details on how to purchase a copy or order a customized benchmarking report, please visit http://www.acc.com/legalresources/resource.cfm?show=1416923.

About the ACC Foundation: The ACC Foundation – a 501(c)(3) non-profit organization – supports the efforts of the Association of Corporate Counsel, serving the needs of the in-house bar through the dissemination of research and surveys, leadership and professional development opportunities, and support of diversity and pro-bono initiatives. The ACC Foundation partners with corporations, law firms, legal service providers and bar associations to assist in the furtherance of these goals. For more information, visit www.acc.com/foundation.

About Ballard Spahr: Ballard Spahr LLP, a national law firm with more than 500 lawyers in 14 offices in the United States, provides a range of services in litigation, business and finance, real estate, intellectual property, and public finance. Our clients include Fortune 500 companies, financial institutions, life sciences and technology companies, health systems, investors and developers, government agencies and sponsored enterprises, educational institutions, and nonprofit organizations. The firm combines a national scope of practice with strong regional market knowledge. For more information, please visit www.ballardspahr.com.

# # #

View all ACC in the News

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.
By using the site, you consent to the placement of these cookies. Read our privacy policy to learn more.