In conversation: David Mace Roberts, General Counsel, Electronic Transaction Consultants, LLC (ETC)

David Mace Roberts

Awareness of cyber risk is increasingly catching the attention of boards of directors and senior executives. For Electronic Transaction Consultants (ETC), cybersecurity has been a top risk priority for a long time. As a leading provider of smart mobility solutions, including electronic tolling solutions, we manage back-office systems and roadside systems for many prominent state tollways. That means we are dealing with personally identifiable information, payment data and a range of other sensitive data that we need to keep secure.

Regardless of the sector a business operates in, I would argue that cybersecurity is now a primary risk. The frequency of attacks and the aggressiveness and skill of the threat actors perpetrating them has grown exponentially. Threat actors are hitting ever larger targets, and the widespread use of cryptocurrency has aided the ability of threat actors to obtain money. In the absence of national or global legislation that restricts the ability of companies to pay ransom, threat actors will always be able to find an opportunity. But it is worth remembering that most of this crime is opportunistic. From the threat actors’ perspective, cybercrime is a business – potentially a very lucrative one. For general counsel, reducing these opportunities is essential.

It behooves any GC to understand what protections they have in place and to test whether they are adequate in the current threat environment. Lawyers may not feel cutout for this, but their ability to spot gaps in a defence strategy – even if only at a conceptual level – is often hugely important. Fortunately, many of the most effective steps an organisation can take do not rely on a high degree of technical familiarity with IT systems.

There are steps that organisations can take to enhance their cybersecurity regime, including using Endpoint Protection, implementing remote monitoring, tracking and remediation. Updating remote access protection, installing virtual firewalls and multi-factor authorisation are all very important as well. Of course, you don’t want to stop your company doing business, so even with things like multi-factor authentication you need to think about how often it is required and whether it needs to cover every device or network.

In a hybrid or work-from-home environment this is especially important. Again, there are simple tools that can make a big difference. Office 365 Advanced Threat Protection helps to detect and block potentially malicious files from entering document libraries or team sites, or locking the file and preventing anyone from accessing it once it’s been identified as malicious. Also, these files are included in a list of quarantined items, so members of the security team can download, release, report or delete them from the system.

The other element that GCs must keep in mind is training, whether for their own team or the organisation more broadly. First, regular training is essential. If you only train once a year [the message] loses its impact and offers minimal protection. The form of the training is also important, and it pays to get creative. There are services available that do mock attacks with a fake phishing email sent around, and then if someone clicks on the link in error, they must take a remediation course and will ideally not make the same mistake again.

Of course, even the best protections and training cannot prevent a cyber incident from occurring, and having a robust response plan is essential to any cyber risk framework. A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry, and you should have a cyber response committee within the company. Everyone on this should know they’re on the team and know exactly what to do when an attack occurs. That response plan should be periodically tested in a mock attack, so it becomes part of the team’s muscle memory.

Cyber rigor, like any other part of a company’s overhead, can be seen as a non-essential cost. It is not. If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. A cyber incident is already an event requiring an 8k event form be filled out within three days, but it is increasingly becoming a potentially catastrophic reputational risk.

Ask yourself: Do you want this on the front page of the Wall Street Journal, New York Times or the Washington Post? Do you want to have to answer to your board of directors, or to the securities regulators or to the investors or to the general public? If not, then taking the risk seriously now is the best defence.

In conversation: Olga Rodstein, General Counsel, BrightSign

Olga Rodstein

I have always been an early adopter of legal tech and have embraced new technology from very early in my career. Before joining BrightSign, I was a litigator in a commercial disputes and property team. I would often move between New York and Silicon Valley, the global centre for tech and innovation. It is no surprise that when I decided to shift my career to in-house, I was destined for the tech startup world.

I now lead legal operations at BrightSign, a global company that specialises in digital signage media players. Like many companies, BrightSign was hit hard by the pandemic. Fortunately, as an organisation we were very innovative and were able to pivot our business operations and create solutions. For example, many of our applications became touchless. We implemented QR codes and voice recognition technology to make our tech Covid safe. Although business has picked up again and we are able to revert to working with more traditional digital signage, touchless solutions will remain the way of the future.

In the last few years, I have seen an explosion of new legal tech apps that have made a positive impact on in-house legal departments. New technology has enabled general counsel to maximise efficiency whilst minimising costs, enabling general counsel to keep legal teams lean.

At BrightSign, we use a range of legal technology to improve our own legal operations. We have embraced applications such as DocuSign, Box and other contract management tools. Before lockdown, I had made it a priority to digitalise and organise all contracts by storing them in the cloud. This made the transition to home working very smooth for everyone.

Legal tech has come a long way. In just two years, it has undergone a transformation in utility.

It is amazing how efficient our legal operations have become with the introduction of the right type of technology. For instance, by storing documents in the cloud team members are no longer bogged down in finding or filing legal documents. If you need to share a document, you do not even need to email it. You can just send a link and if you no longer want them to have that contract, you can disable the link. This has made sharing confidential
documents even more secure.

Technology has also made collaboration more efficient. Documents in the cloud can be edited by different departments easily. People from different areas of the business, such as finance, can share their comments on a particular contract effortlessly. This collaborative approach has transformed legal work.

Going digital has also been great for the environment. Technology today has made legal documents more easily stored and accessible. By embracing electronic filing, titles and images of documents can be scanned by a simple search. This is particularly useful if you are looking for a clause or sentence in a large contract. Legal tech eliminates cutter and the need to organise physical files.

Electronic signature technology has been incredible. Documents no longer need to be printed and can be signed from your phone. Within our legal team we try not to print documents to reduce our paper usage.

Although I am a big believer in legal tech applications, GCs need to be honest with themselves that not all tech is useful. As general counsel, you have to be smart about which application you choose to use. You should never blindly rely on technology, as applications are designed by humans, and humans are prone to error. For example, we use a HR compliance tool and even though it is great we have to ensure that its functions comply with California law. The application could be designed to meet the legal requirements of another state or jurisdiction, so blindingly trusting an application can be problematic.

That means the human oversight piece will never vanish from the picture, but the likely trend is that legal teams will continue to become leaner. It is a major cost saving benefit for companies to auto-mate labour intensive tasks such as filing or locating contracts. As a result, corporate lawyers will be able to spend their time focusing on more sophisticated legal work. For the future I am exploring tech applications such as Ironclad, Parley Pro and other existing contract software. The future is digital and the potential for legal tech to move business operations forward are limitless.

In conversation: Paul Slattery, General Counsel, Eleusis

Paul Slattery

At Eleusis, we are developing psychedelics for potential therapeutic applications, as well as a care delivery platform that aims to increase the safety, tolerability, and accessibility of any ultimately-approved psychedelic drug therapies. It is a complex path from drug discovery, to preclinical work, to trial design and regulatory submissions, involving selection of potential patient populations, invention of patient monitoring systems, and optimisation of treatment regimes.

As general counsel, I support our team facing these challenges in preclinical and clinical development of psychedelics for psychiatry, therapies beyond psychiatry, and care delivery. Compliance with controlled substances, FDA, EMA, and other healthcare law is a big part of the role.

Technology enables our legal department to deliver for the business. Calendaring programmes track our patent portfolio, regulatory planning, and submissions, as well as entity management. Task management software allocates diverse work in an efficient and auditable way. Our board portal se-cures and organises our communications and governance documents. Independent data rooms protect trial and observational study data compliant with privacy laws. In short, digital management of our department helps coordinate our remote team to empower Eleusis’ scientists and clinicians.

We also make extensive use of DocuSign, a popular eSignature platform. Neither our contracting velocity nor its global reach would be possible without it. Collaboration in an IP-driven space requires near-constant execution of non-disclosure agreements (NDAs), as well as ready access to their terms and expiration dates. Absent technology, we could not manage that without a much larger team. The next phase for eSignatures is their acceptance by regulators and other authorities on documents like informed consents and filings, and I am glad to see that trend already underway.

For a GC working in the tech sector, particularly remotely, connecting with other in-house counsel is essential. Among others, I joined an invite-only network called TechGC. This community of general counsels from emerging growth companies shares best practices, sample documents, and a listserv. It is invaluable for a lean team practicing outside a law firm’s institutional knowledge and bench of subject matter experts. While the companies TechGC members represent range across industries, there is nearly always a GC who has faced an issue similar to the one in front of me.

Technology has also enabled a shift – accelerated by the pandemic – in the relationship between practicing law and lawyers’ lives.  For in-house legal teams, [working from home] removes geographic recruiting constraints, lowers many folks’ cost of living, and enables around-the-clock availability of a team member without sleepless nights. I am in Venice Beach; my deputy is in New York; and our paralegal is in Florida. That would be unthinkable two decades ago, but technology has made that possible and effective.

On a more human level, technology is just a tool, and it has downsides for my team too. I keep a photo album of working on my laptop in beautiful places – Switzerland, Honduras, Alaska, and Baja. That is either freedom or a little dark depending on how you look at it. Technology means you can work from anywhere, and also could be working wherever you are. Lawyers are susceptible to boundaryless grind, and we are now solely responsible for building divisions between work and the rest of our lives. It is incumbent on a modern GC to set the tone and support team members in building those personalised boundaries.

The advantages of legal tech are clear. It helps lawyers deliver better and faster for the company, and there is headroom for it to do more with natural language processing and similar technologies. If you review hundreds of entities’ bespoke NDAs, you find there is immense arbitrary variation to get to the same six terms. There will be ethical obligations to sort out in handing that to software, in the same way there have been with technology-assisted document review in litigation, but the gains from legal technology make it feel inevitable that we will get there.

Today, when people refer to a ‘technology company’, they are often referring to the application of tech to a traditional sector. Take Lime, the phone-based electric scooter rental service. Is that a tech company or a transportation company with an app? Nearly every industry has been upended by what tech makes possible. Law will be characteristically slow on this front, but it is now law’s turn.

In conversation: Robert Jett, Chief Privacy Officer, Crawford & Company

I have been working on data privacy since before it was a recognised area of law. When I started out, what is now understood as privacy was part of a company’s compliance programme and fell to its compliance officers. Of course, privacy still falls under compliance, but it has become a unique feature of the compliance programme.

To oversimplify things for the sake of making a point, privacy is just compliance with an IT flavour, and it is something I have been giving presentations on to boards of directors and executive management for over a decade.

It’s funny, because I still have a compliance-based approach. I come to the meetings with only four slides. At first, everybody looks at me like I am out of my mind, but they soon understand that we don’t need many more to understand what privacy is all about.

Essentially, privacy in an organisation can be reduced to four fundamental questions: Which data are we collecting? Why are we collecting it? What are we doing with it? And finally, where does it go to die?

In reality, privacy and compliance programmes have to be a lot more detailed, of course, but at the end of the day, if a company can effectively answer these four “Ws”, I would argue that it has a very robust programme.

While the fundamentals of privacy have stayed the same, the environment businesses operate in has not. In particular, the general public is becoming more aware of privacy issues, and the last of the four “Ws” has taken on a new importance. Companies cannot keep data forever and they must find ways to get rid of the data they do not need in a secure manner. Businesses must also remember that security is always key when it comes to privacy. If you’re storing data in the cloud then to a large extent you are relying on a third-party. The quality of its controls and server management may be exceptional, but it is a potential gap in your security.

As chief privacy officer, I work with the chief information security officer daily. Together, we have built an incident response plan for privacy and another for security, but the two are intertwined. My management agreed to it because we demonstrated that cybersecurity breaches are, almost invariably, a threat to privacy. That’s why I would advise counsel to always take the two threats together. You rarely discover one without the other.

Technically speaking, security has improved a lot in the last twenty years. We have created automated tools that can support anyone’s privacy policies. So much that nowadays, most ransomware attacks are due to human failure or insiders. The old approach of making a brute force attack on a server typically does not work anymore. Consequently, the bad people have gone back to tried-and-true technics, like spear phishing, which lead to attacks that take advantage of social behaviours.

I have seen an 80% increase in phishing attacks in the past few years and it has gotten even worse since the beginning of the pandemic. These are often very targeted and very well thought-out from a social engineering perspective. Hackers know that we work and live on our computers and smartphones, and it just takes one careless mistake form an employee for them to download IDs and then access all or part of your system. It is a little scary, and board members are generally very worried about phishing, but privacy professionals are here to help.

I have been tracking what may happen, during and after the pandemic, as regards to medical records. Form a privacy point of view, they have always been sacrosanct, and I think that we are going to start seeing that peel back a bit.

In the US, there has been a lot of hue and cry over vaccinations because there is this tension between the Occupational Safety and Health Administration’s requirements and the level of security that is reasonable to expect from companies. Employers have an obligation to maintain a safe workplace.
This includes protecting people from airborne diseases. Therefore, for them to carry out their duty, they should be allowed to inquire if their employees have been vaccinated against Covid.

These things have never really been allowed in our modern societies, so the ways in which this will play out should be of interest to every privacy professional and general counsel.

In conversation: Alex Tovitz, General Counsel, AbleTo Inc.

Alex Tovitz

The intersection of technology and health is truly fascinating. AbleTo, a leading provider of virtual behavioural healthcare, proves there is a hugely important role for technology to play in providing healthcare, but working out the right blend of technology and in-person connection is an important aspect to the successful delivery of this care.

Our technology can be used to assist people in finding the right therapy and programmes, and when it comes to behavioural healthcare people’s reliance on technology is only going to increase. Our telehealth tools strengthen the relationship between our therapist and our patients in a safe digital space.

Our services consist of a number of licensed therapists that provide virtual behaviour therapy to individuals and businesses. During the pandemic our company grew significantly. The strain of lockdown caused many people to turn to online health services in a way we had never seen before.

Given the centrality of tech to our offering, it is no surprise that our work in the legal team is also heavily reliant on technology to deliver service to the business. For example, we have been working with a number of vendors to implement a new contract management platform. Making all contract work digital will be our next step as a growing organisation.

We also operate a very distributed legal team, with professionals based everywhere from Florida to Texas and upstate New York. To be efficient with that set-up you need to coordinate effectively, and tech tools – even fairly simple ones like Google Docs – are essential in allowing the team to share documents and stay connected.

However, it is the not so simple tools that offer the most exciting possibilities. When I first started practicing law over 20 years ago, I could not have predicted where we are today when it comes to legal technology. The legal tech space is growing and there is really a wealth of options on the market now.

For any lawyer that is midway through their career, getting comfortable with technology and change is very important. I started my career in litigation and a large part of the job was manually looking up case law. A lot of what I did was stamping, numbering and producing documents. Just last year I was handling some legal matters and I could see how much legal tech has made the practice of law more streamlined and efficient.

This pace of change will continue and it will have a transformational impact on in-house teams. While artificial intelligence has been hyped for a long time, it is clear that practical applications now exist. Certainly, algorithms are being created that not only assist with contract management, but also generate basic legal advice. It is inconceivable that such tools will not be used to help improve team efficiency over the coming years.

Another interesting emerging technology is blockchain, AI and smart contracts. How quickly these spaces develop are yet to be determined. Nevertheless, I believe legal technology is bound to change the practice of law within the next ten years. Attorneys – including myself – should continue to embrace the change that comes with legal tech.

This is a potential danger for the career stability of lawyers – after all, in an already crowded market the last thing a lawyer wants to hear is that technology will make large parts of the job redundant. However, for general counsel, and perhaps also for professional advisers of all kinds, it is an intriguing opportunity.

If tech can be used to reduce administrative work, and all the signs are that it can be used very effectively to do this, then more time can be spent on legal analysis and strategic legal work. Any form of technology that helps lawyers represent their clients more effectively and efficiently should be embraced. This is where I see legal technology making the biggest impact.

One of our top priorities at AbleTo when it comes to technology is privacy and protecting the health data of our users. Making sure we have the right privacy infrastructure is not only a legal imperative, but also a business one. Our participants share very personal data on our platform, and we work very hard to ensure it remains private and secure. I have a dedicated chief privacy officer who works to ensure this data remains secure. We also need to make sure we are compliant with all national and state laws when it comes to data protection.

In conversation: Chris Young, General Counsel, Ironclad

Chris Young

When legal moves fast, business moves fast. Time kills deals, and often moving at speed is imperative. For in-house counsel, the need to move quickly can be a source of tension. No lawyer wants to hold business back, but it takes legal time to review a contract and ensure compliance. Rushing can generate risk that comes back to bite you.

This longstanding tension is not only a problem for GCs. At a basic level, all lawyers are contracts lawyers and all the businesses they serve are contracts businesses. The contract is the most fundamental unit of commerce. Whether it’s an offer letter, an employment agreement, a stock options agreement, a vendor agreement with a third party, a sales agreement, a marketing agreement, or any other form of agreement, business relies on processing contracts at speed.

The sweet spot is when you’re moving quickly and responsibly. The tension between speed and risk is something lawyers have struggled with for a long time. You cannot put yourself in harm’s way just to move quickly, and you cannot put yourself in a position where you’re losing deals because legal is taking too long to process contracts. When you’re moving at speed without compromising internal rules or policies, you’re doing well.

At Ironclad, and among our hundreds of customers around the world, we have worked to tighten the relationship between legal and commercial teams. Ironclad is the preeminent digital contracting platform for business. Our focus is on the end-users, whether they are in sales, HR, marketing – any function or professional that deals with contracts can benefit from the platform. We do not consider ourselves a legal tech company. Our enterprise-wide software is often deployed and administered by the legal department, but it frees lawyers from having to generate contracts.

When I run orientation sessions for clients, I like to begin showing a painting from the seventeenth-century, The Village Lawyer by Pieter Brueghel the Younger. It depicts a lawyer sitting at his desk surrounded by mountains of paper. A queue of people stands around waiting for his time. The one thing blocking them from going back to business is waiting for an interpretation. And that interpretation is likely to be something relatively simple. “What does the contract mean, what terms or provisions are contained within it and who owes what to whom?”

Too often, this is still the case today. Legal is the central hub for contract review. It is also the chief bottleneck when it comes to speed of business. At Ironclad, we are changing that by powering the world’s contracts in a way that legal teams love.

For example, using our no-code workflow builder the legal department can generate contracts and templates for any number of purposes. With Ironclad, a single workflow can produce hundreds of different versions of a document, whether it is a Non-Disclosure Agreement, Enterprise Services Agreement or any other commonly encountered legal document. This means various teams across an organisation can generate their own contracts while staying safely within the guard rails set by legal: Who can sign which contract? Who is part of the approval authority matrix? Does that change if the contract rises over certain financial thresholds? All this is stored in a fully searchable repository so things like data breach notification obligations can be identified at the click of a button.

Ask not what your company can do for you

As legal tech matures it is not only allowing GCs to do their jobs faster. The really exciting thing is that tech is now changing how GCs can bring value to their companies. To take one example, I can now look at our sales contracts and know which of them has gone through one round of red-line edits, and which has gone through two rounds of red-line edits. That allows me to identify patterns in the data. I can see that when a contract has gone through one round of red-line edits the probability of a deal closing is at a certain level. With two rounds of red-line edits that probability rises significantly.

That is the sort of data that GCs just didn’t have access to before. It means we can more accurately forecast what the quarter is going to look like using data generated and held within the legal function. That’s just one of dozens of applications you can put legal analytics to, and it is exciting to see what is now being done with this sort of information.

If you’re a GC and you don’t know where all your contracts are or what’s in them then there’s a lot of room for you to significantly up-level your compliance measures. Recently, Ironclad acquired PactSafe, an Indianapolis-based clickwrap transaction platform that enables companies to process high volume agreements. From create to review to negotiate to sign to store and repository, contract lifecycles do not just exist for B2B contracts. For a growing number of businesses, monitoring B2C contracts is becoming essential.

We’ve all been through the experience of signing on to terms of service in the B2C space. Whether it’s Uber, Spotify, or any of the apps and services we have come to rely on, we have all given manifest assent to a contract by clicking a box. Behind the scenes, companies need a way to manage those millions of clicks. When facing litigation or a potential class action, companies will need to identify which users signed what agreement. To get even more granular, they may also need to quickly come up with evidence that most, if not all, of a proposed class had signed an agreement containing the relevant arbitration clause. That sort of litigation is highly likely when you’re a successful company and having the tools to manage and process large volumes of data is key. We are excited to explore how this process of manifest assent – a process very similar to e-signing – can be used more widely in the B2B space.

No excuses

For many lawyers, legal tech has been a series of false dawns. It has often promised to revolutionise the way lawyers work, but it has rarely delivered. That, finally, is set to change. For the first time ever in the history of the legal profession there is cutting-edge technology that allows us to do our jobs more effectively as lawyers. The whole profession is now waking up to what it can do differently, and in-house legal teams are driving this change.

In-house teams used to ask their law firms about technology. Now it’s the reverse. GCs are encouraging their firms to adopt technology, and firms are hearing about the most useful software and tools from their customers. But technology is only one part of this transformation story. The rise of legal operations as a specialism has been just as exciting.

For years every department at a major company has had its own ops function. Marketing, engineering, sales – all of these departments have relied on operations professionals to keep them moving. Now we are seeing that in legal teams, and it is having a transformational impact on the way systems, processes, people and tech work together.

GCs have always faced the same question: how can the legal department cope with increasing work volumes as a business grows? Are you going to add bodies as legal departments have done for decades now, or are you going to use technology and smarter processes to scale up? Increasingly, technology is the only viable option. I have made it my goal as GC to practice what I preach. At Ironclad, we have one commercial counsel servicing over 60 salespeople who negotiate up to dozens of deals each day. The only way that’s possible is by leveraging our own system.

My goal as a legal leader is to have one of the leanest departments out there. A lot of GCs talk about wanting more headcount – I take the opposite approach and ask how I can keep the team as lean as possible. For legal teams struggling to stay on top of things, try this: instead of scaling by adding more people, scale with systems. Measure the success and improvements you can get through using the right tools and processes. The results will convince you that technology can have a transformative and liberating impact on the legal team.

In conversation: Cameron Forbes Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow – Governance Studies, Center for Technology Innovation, Brookings Institution

Cameron Forbes Kerry

Privacy law is a subject that has interested me for a long time. Even as a college student – although I was the paragon of a classic liberal arts major who avoided hard sciences – my best paper was on comparative law issues between French and American rights to privacy. However, it was not until I began working as a lawyer that I started engaging with cybersecurity and data protection as anything other than abstract concepts.

In my early career I was a communications lawyer and a litigator in the cable television and telecommunications industries. These are sectors that have had privacy protections for customer data for some time – in the case of cable television these protections date back to 1984. Working in that field gave me a lot of exposure to communications technologies and helped me to understand how various systems operate, the type of data flowing over them and what sort of information is captured by providers.

When I joined the Department of Commerce as general counsel in 2009, I was aware that privacy and cybersecurity were becoming increasingly important issues. Even before I was confirmed by the Senate, we spent time working on these topics, thinking about what we should be doing. Very early in the Obama administration, after I had deepened my familiarity with the matter, I advocated for action to deal with privacy issues.

The government seemed interested, and the White House empowered me to lead an Inter-Agency Committee to look at this more closely, which led to the development of what ultimately became the Consumer Privacy Bill of Rights Act in 2015. This was a compelling leap forward.

I resigned as Acting Secretary of Commerce in late 2013, since which time I have been a visiting scholar at the Massachusetts Institute of Technology Media Lab and at the Brookings Institution, where I am a member of the Center for Technology Innovation. My work at these institutions follows the ways in which public policy and the law is adapting to the evolution of technology, but also to design better governance for advanced and transformational technologies such as artificial intelligence.

Over the past decade or so, I have been involved in high-level exchanges on artificial intelligence policies among several countries – the US, the UK, Canada, Singapore, Australia, Japan, and also with the EU. Along with other experts, I have been looking at opportunities for stronger international cooperation on this front. The appreciation that such cooperation is necessary has certainly grown over this time, and the channels allowing for inter-governmental cooperation have become much more sophisticated.

My experience in politics and familiarity with legislative processes has undoubtedly helped me in this work – it is impossible to design good governance without appreciating how things get done at a governmental level, how to gauge what is possible, and how to frame issues in ways that speak to members of Congress or to the public.

This is especially important when it comes to topics such as analytics and big data. Because of their ability to discern unique patterns in a data set, or to link one data set with others, these technologies are turning things that have traditionally not been regarded as personal information into powerful and exploitable data sets.

In such an environment, defining limits and setting legal requirements can be more complicated than ever before. There is so much value in data now that society and enterprises have increasingly important interests in how it is used. That is why, even after a life spent in the field, I still consider the legal implications of technology to be among the most important questions we face today.

In conversation: Ashley Herring, Global Legal Programme Manager, Boston Consulting Group (BCG)

My route into legal services has been a slightly unusual one. I did not graduate from a legal program and spent the better part of my career as HR Immigration Manager at Boston Consulting Group (BCG). However, as a business studies graduate I have always worked adjacent to law, and when the chance to transition into an operations role came up I grabbed it.

In my previous role at BCG, I had worked closely with Antonia Peabody. In 2017 she launched what is now BCG’s legal strategy and operations group and it was always my intention to follow her. I had been tangentially working in the legal field, the issues thrown up by legal departments interested me a lot, and in my role as immigration manager I had started to work more and more on designing processes and building out strategy. That made the move to legal operations (legal ops) seem like a natural fit for me.

In some ways it is an unusual background, but I feel the most successful ops functions bring together a diverse talent pool. A nontraditional legal background allows you to examine how the legal function works with fresh eyes, and to bring a perspective that may be different from that of a lawyer. Besides, our philosophy in the BCG legal strategy and operations group is that if you put talented people into a role, they will contribute to your strengths.

The legal strategy and operations group was formed at an inflection point for BCG. We were acquiring businesses, branching out into new businesses, and our digital business lines were taking off. A lot of exciting change and growth was taking place, but when you’re facing that sort of growth there is a risk that different teams will end working in silos. The question we faced was how to create a group that could support the strategy we needed to move forward as a coherent organisation while also putting in place the operations needed to be successful across many different dimensions.

A big part of my role is focused on enhancing our contract management database. We have an entire sub-team dedicated to the day-to-day side of managing our contracts, but as ops professionals we look at the longer-term strategy and ask how existing practices can be modified to help our senior leaders manage the full contract cycle process.

There is of course a legal component to this work, it presupposes a high degree of familiar with legal terminology and processes, but in essence it is about taking a practical challenge, breaking it into its component parts, and distilling it down to something that can be communicated to senior leaders, both internally and externally. It’s about driving change, orchestrating communications and continuous improvement. To do that well you need a clear vision and purpose, and it always starts with a “why?”.

Having a purpose-driven process is particularly important when it comes to the in-house function. It can be tough for legal teams to do this. They can be vast, and they are involved in so many different things from employment to litigation to everything else. In spite of that, and perhaps even more so because of that, it’s helpful to ask yourself the question of what you are trying to do as a function and why you are trying to do it.

The temptation for a lot of in-house teams is to set things up in a very transactional way that looks to a large extent like the model of an internal law firm. That is not really the best structure, and it doesn’t give the best results. Legal should not let itself become a dumping ground – it overburdens the lawyers and takes away from what the function can deliver to the business.

Setting up things in a way that lets you extract data and make data-driven decisions is essential to this. With our contract management platform, we track everything: how many contracts are going in; what the adoption rate of the platform is among senior staff; whether it is being used properly; how aggressively we are pushing back on certain contracting terms; the risk profile of a class of contracts, how practical we are in our terms.

This is giving us new and incredibly useful insights into the work the legal team does, how it intersects with other functions in the business, the expectations and needs of our end-users, and where the bottlenecks in the process might be. From a legal ops perspective, however, we always try to keep in mind that while technology can play a big part here, technology itself should not be the goal. The goal is being able to structure decisions and processes in a way that is based on data and numbers.

In conversation: Richard Brzakala, Director – Global Legal Services, CIBC

I was almost a unicorn when I first started working in legal operations 20 years ago. The concept of operations, though well-defined in other business functions, was not well understood among legal counsel. Only the largest and most sophisticated legal departments were using e-billing products or matter management, and only the most far-sighted GCs thought of their function as a set of systems and processes that could be improved by careful design.

Today, there are armies of people working in legal ops, supporting GCs in their attempts to improve the efficiency and effectiveness of the legal function. A big reason for that shift is that legal teams have come under increasing pressure to constrain costs and avoid unnecessary expenditure. Improving efficiency has become a second mandate of the GC role, one that sits alongside managing purely legal matters on the list of priorities for business. And so, inevitably, legal ops professionals have entered North American corporate legal functions, tasked with finding the latest and greatest things in the marketplace that can help improve processes.

The rise of legal ops has been accompanied by a rise in legal technology. The increasing sophistication of legal technology means that data is now starting to speak to us and reveal patterns that were previously hidden. For example, by leveraging data and information from billing systems, legal teams are better able to understand the inefficiencies in a process.

The marketplace for legal tech has matured and evolved so rapidly that it is becoming all but impossible for busy general counsel to keep up with developments. Covid has been a huge catalyst, increasing the speed with which we are moving into a virtual workplace, but the wind was already in the sails of the innovators, driving greater choice and competition in the space. What all of this means for corporate legal departments is far less clear, but there are some clear trends we can identify. 

The changing relationship between clients and law firms has been spoken about at length, but the significance of this change is still not widely understood. It feels as if there is a revolution taking place in the legal services industry, but the evidence for this is not appearing where many expected to find it.

While there has been a general tendency among businesses to shrink their pool of external firms, the impact of this has played to the advantage of many of the market’s most dominant players. In a typical panel only a small number of firms are ever likely to be deemed key strategic partners. While it is true that corporate legal departments are paring down their panels and moving more of their strategic work to a smaller constituency of firms, the firms that survive are the ones that have historically handled big class actions or M&A deals on behalf of a client.

These firms have reached that almost utopian state where price is rarely an issue. Clients are not going to nickel and dime them on invoices because they are deemed to be delivering true value. When it comes to appointing these firms, particularly on bet-the-company matters, the board of directors is standing behind their GC. In short, there is absolutely no evidence that the traditional elite will be disrupted anytime soon.

The mid-tier law firm space is perhaps more interesting. Clearly, these firms have been hit hard by disruption to the market: competitive pricing has become extremely challenging in a market where transactional work has either abated or moved to alternative providers. Meeting growing client expectations around information security is also much more challenging for smaller firms, particularly as concerns over cyber risk and handling of information have come into the limelight recently. This alone could lead to a firm being delisted from a panel.

At the same time, these smaller firms have the potential to be more agile. They can be more receptive to new ways of working, which is an advantage in a world where clients want to collaborate with and learn from their providers. It can be easier to form that sort of chemistry with a smaller firm.

There is a greater awareness, certainly among legal ops, that a firm is more than its partners. We want to know who works on project management. All people bring value to the organisation, and as much as we like and respect managing partners, we also now want to know the wider firm. It’s a very much a symbiotic relationship, which is exactly how it should be. Like any relationship, both sides need to put in the effort to make it work, but the rewards can be hugely beneficial for both sides.

In conversation: Damian Olthoff, General Counsel, PROS Holdings

Damian Olthoff

Since I joined PROS Holdings in late 2011, I have seen the company triple in size. Most of that growth happening during the last few years, so its fair to say we have been on an incredible upward trajectory.

PROS Holdings is an AI-based software business in the B2B space that optimises shopping and selling experiences. For example, we create the software that airlines use to price tickets. In a range of sectors and industries, we develop innovative software that services some of the largest companies in the world to deliver frictionless, personalised purchasing experiences designed to meet the real-time demands of today’s B2B and B2C omni-channel shoppers.

In 2015, we made the decision to pivot our on-premise software-based service to a subscription-based cloud software model. At that time, roughly two-thirds of our revenue came from licenses and professional services, so the move was a major change for our business model. Although not an easy transition, it was a necessary and successful move that secured a path to further growth.

As a result of this work, we were well positioned to work virtually using digital tools as a company, almost at the flip of a switch. Even so, when the pandemic hit the working culture of our organisation changed quite radically, and the legal department had to evolve at speed.

One important change was shifting the way legal interacted with business. When working in the office, it was common for people to swing past the legal department with their questions. In a virtual environment that opportunity does not exist, so it was something we had to adjust to very early. We were able to modify a service desk software system our company was already using and implement that for our legal team. Since people were already familiar with the programme it was very quick and easy to set up.

The results have been very positive, and it has certainly caused me to question why we didn’t think of doing something similar before. We have since built this out to handle all day-to-day legal matters. Now, instead of knocking on the legal team’s door, employees know where to submit their requests and how to track them in real time.

A secondary benefit of this approach is that it has given us metrics on the work we do. We can see who is working on a matter, the response time to the matter and we can easily review the volumes of work coming through. We can also scale by analysing the complexity of the work and the cycle time it takes to complete tasks. There have been a lot of benefits from adapting our processes.

The biggest advantage with going more digital is transparency. This system allows us to give great visibility into how matters are doing overall, and how they are being handled. It also allows us to see how much of what we are doing is actual legal work – as opposed to process work – and whether a matter can be handled more efficiently. This empowers our team to better delegate work and to focus on matters that require specific legal expertise.

Contract automation has also shortened the time it takes to put together standard agreements. We did some analysis and worked out that it takes a paralegal 20 to 30 minutes to put together a standard contract. If you take into account the volume of contracts the average business does, you realise pretty quickly that you will need a small army of people just to keep up with that side of things.

By automating standard company contracts we enabled commercial teams to assemble their own documents, injected a level of transparency into the process, and allowed the legal team to focus on more strategic questions and less on standard operational work. When it comes to contract work, being able to flag and address non-standard terms in real-time is the next frontier.

Just like the GPS in your car, I believe in the future we will be able to use relevant data signals to navigate legal matters using AI. I do not think this will happen broadly in the next couple of years, but certainly it may in the next decade.

Implementing these processes did not happen overnight, but the impact has been transformational. Compared to a few years ago, the quality and sophistication of the work we do today can be attributed to capacity created from the implementation of legal tech.

We now have systems in place that allow us to track the common questions we have dealt with in the past. This is truly empowering. It means legal advice is based on real data and gives us all the conviction that what we are doing is not only reasonable, but also marketable. For a support function, it is incredibly powerful to be able to assign a dollar amount to the contribution you’re making to the bottom line.

Just as importantly, it frees up our capacity as in-house counsel to focus more on other things, whether that be data privacy, compliance, ESG or D&I. Lawyers are more than contract jockeys and they can add value to many areas of a business. Technology is liberating lawyers and giving them a renewed purpose.

Despite all the clear advantages technological innovation provides, the legal profession as a whole has been slow to adapt. The next step will come when legal software providers move their offering to target in-house practitioners. This tends to be an area of the market that is receptive to new ways of working, and we are already seeing a shift in the focus of software vendors.

I have encountered many conservative professionals in my time who are averse to change. But, as with everything, the moment will come when the pain of staying still becomes greater than the pain of moving.  We are not far from seeing that tipping point as the pace of change continues to accelerate, and GCs as a group are increasingly aware of this.