The Association of Corporate Counsel (ACC) Foundation has released the largest study of its kind on corporate cybersecurity. The study was underwritten by Ballard Spahr.

It provides insights on cybersecurity issues from more than 1,000 corporate lawyers at 887 organizations worldwide – most of whom hold the position of General Counsel (GC) or Chief Legal Officer (CLO). More than half of in-house counsel report that their companies have increased spending on cybersecurity. Still, the report indicated that many organizations are not taking basic precautions to prevent a data breach. The State of Cybersecurity Report shows that:

  • One-third of in-house counsel have experienced a data breach
  • Breaches are more than twice as likely to occur at large companies
  • Employee error is the most likely cause of a breach; inside jobs are second
  • Worldwide, in-house counsel say reputational damage is the greatest concern, followed by loss of proprietary information, and economic damage
  • IT departments were how most corporate executives learned about a breach

"After years of high-profile data breaches, most companies are rightly focused on cybersecurity," said Philip N. Yannella, a leader of Ballard Spahr’s Privacy and Data Security Group. "General Counsel and CLOs clearly understand the need to put into place appropriate protocols to protect against cyber threats and to respond quickly to those threats."

Although employee error is the most common reason for a breach in all global regions except Asia Pacific, fewer than half of in-house counsel reported that mandatory training exists at their companies. Even fewer say that their corporations track employee knowledge, demonstrating a wide disparity in how companies approach preparedness. At the same time, 56 percent of in-house lawyers say their companies are allocating more money to promote cybersecurity than they did last year. Half of them said they want to play a much greater role in cybersecurity matters.

"In-house counsel operate at the intersection of complex legal and business challenges facing companies today," said Veta T. Richardson, the President and CEO of ACC, a legal association representing more than 40,000 in-house counsel worldwide. “It is not surprising to see that general counsel and chief legal officers are playing an increasingly active role in cybersecurity strategy, risk assessment, and prevention.”

Data breaches are more common at large companies: 45 percent of in-house counsel working at companies with more than 5,000 employees said they have worked at a company that experienced a breach. Among in-house counsel whose companies experienced a breach, 47 percent said it had occurred in 2014 or 2015.

The causes of a data breach also were explored in the study. Employee error was the most frequent cause of a breach (24 percent), followed by inside jobs (15 percent), phishing (12 percent), access through a third party (12 percent), lost laptop or device (9 percent), application vulnerability (7 percent), and malware (7 percent).

The health care/social assistance industry is almost twice as likely as average (56 percent versus 31 percent) to report that they have experienced a data breach, with insurance industry in-house lawyers (36 percent) a distant second. Health care industry in-house lawyers also are most likely to have purchased cybersecurity insurance and to have agreements with vendors requiring these third parties to notify them in the event of a breach. Across all industries, only 7 percent of in-house counsel have the highest degree of confidence that their third-party affiliates protect them from cybersecurity risks. A majority, 60 percent, are somewhat confident.

Other significant State of Cybersecurity Report findings include:

  • Among in-house lawyers whose companies have experienced a data breach, 19 percent say their cybersecurity insurance policy fully covered related damages.
  • Fewer than two-thirds of GCs/CLOs report that third parties are required to notify them in the event of a breach.
  • One-third of GCs/CLOs have retained outside counsel to help in the event of a breach.
  • Corporate lawyers in the retail industry are most likely to report that they proactively collaborate with law enforcement or other government agencies to address cybersecurity risks.

The attorneys in Ballard Spahr’s cross-disciplinary Privacy and Data Security Group are experienced in conducting cybersecurity risk assessments, drafting information security plans, and representing companies in responding to information breaches and related litigation. They help clients around the world mitigate risk, respond in the event of a crisis, and recover.

For more information on the 2015 State of Cybersecurity Report, please visit