A ‘defensive shield’ for legal cybersecurity risks

A ‘defensive shield’ for legal cybersecurity risks

The top lawyers in the UK’s largest companies have recently come together and recommended a “defensive shield” strategy to deal with their companies’ legal cybersecurity risks.

The top lawyers in the UK’s largest companies have recently come together and recommended a strategic framework that maps well to New Zealand.

The strategic framework maps well to New Zealand, to what other cybersecurity specialists are doing, and to what senior managers and boards are or should be doing.

It is good stuff too to help get the attention of CEOs, boards and lawyers: although they know cybersecurity is an issue, they don’t necessarily have all the tools and detail on these increasingly bet-the-bank issues, as we outline here.

The report, Cyber security law and practice, was produced by the GC100, the association for GCs of the UK’s largest 100 companies.

Much of the legal exposure is reduced or eliminated if best practice procedures are used to reduce or eliminate cybersecurity risk.

Michael Wigley

It tracks the legal risks – we outline some of these below – and lists recommendations for a framework for handling the issues, including:

Read more: The untrammelled rise of the cyber security professional

• Understand the legal framework, which is made up of multiple aspects, both domestically and internationally;

• Apply best practice cyber security standards;

• Ask a series of listed critical questions, to raise internally and with external suppliers, including external law firms (law firms are known for leaving the back cyber door open.

• Build a “defensive shield” against regulatory action and litigation:

Read more: The top cyber risks for NZ in an interconnected world

That “defensive shield” is at the heart of the framework and can integrate well with what other experts are doing. The report notes:

“Organisations that track regulatory guidance, regulatory enforcement actions and court cases relevant to cyber security will be able to use their knowledge to construct a strong “defensive shield” against regulatory investigations and litigation arising from security breaches.”

Much of the legal exposure is reduced or eliminated if best practice procedures are used to reduce or eliminate cybersecurity risk. For example, the law of negligence and under the Privacy Act generally does not require more than best practice: 100 per cent protection is not expected (and can’t be achieved anyway of course). As with good IT practice, the level of protection will closely relate to the sensitivity of the information (John’s online pizza order is not particularly sensitive: his chlamydia history is).

There are multiple ways in which organisations can be exposed and that can be domestically and internationally.

Read more: Inside the modern battleground

Exposure can arise under the Privacy Act, and this is increasingly a big area, illustrated by the Privacy Commissioner’s recent decision to name and shame wayward companies rather than hold back as the Commissioner has in the past.

The law of negligence and duties as to confidential information can raise issues as can the law as to IP. Something particular to watch for is getting contractual buy in to cyber security obligations from suppliers and also watching out for downstream contracts which may extend cybersecurity duties to a 100 per cent requirement to ensure no breach.

All these need tomesh with IT, communications and governance strategies.

In the end, it is that defensive shield concept of keeping on top of the issues that is key, having established the approach initially. The report provides a framework to achieve this.

Read more: NZ and NY Police target technologies of interest

Michael Wigley is the Principal of Wigley + Company, a law firm specialising in ICT. He can be reached at

Send news tips and comments to

Read more: Does your Board paper have a section on cyber risk?

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags information securityIPlawyersIT and the lawGlobal Information Security Survey 2015legal insights

More about ExposureFacebookTwitter

Show Comments