Paul Flanagan, assistant professor of law and director of the Privacy, Cybersecurity and Compliance program, co-authored “Defensibility: Changing the Way Organisations Approach Cybersecurity and Data Privacy” with James Goepel, adjunct professor, Bridget Mead, JD ’20, and Jared Miller, JD ’21. In the article, which was published in The Singapore Academy of Law Journal, Flanagan et al. argue that organizations should adopt enterprise risk management (ERM) systems to curtail risks associated with cybersecurity and privacy. Flanagan and his co-authors will present the article to a group of panelists and academics in Singapore in December 2021.
Flanagan was asked to write the article by leadership at National University of Singapore (NUS) in autumn 2019 when he was a Visiting Senior Fellow and teaching a three-week seminar at NUS. Flanagan’s visit to NUS was part of a Fulbright award that he was granted, in part, because of his unique approach to compliance, privacy and cybersecurity.
“It’s a three-legged stool,” Flanagan said of the relationship between the three fields. In other words, according to Flanagan’s view, an organization can’t have sufficient privacy and cybersecurity protections without a compliance plan. But compliance, within the realms of cybersecurity and privacy, goes beyond a company just coming into compliance and moves toward proactively planning to respond to risks.
Flanagan recommends employing the ERM model because it requires an exhaustive analysis of actual and potential risk across all of an organization’s activities. The ERM model is especially relevant as national and international law continues to evolve in response to the changes taking place in privacy and cybersecurity.
“While multinational states and individual nations are addressing privacy and cybersecurity in their own ways, there is growing consensus that these issues will need to be faced on a global scale,” said Flanagan. “My scholarship is at the forefront of addressing these issues, and my approach is to use what we know works in the fields of compliance and risk management.”
Flanagan, who spent years working in compliance, privacy and cybersecurity in healthcare corporations before coming to Kline Law, said that countries across Asia, especially Singapore, have taken an interest in his expertise as well as his philosophy. While the U.S. has a longer history of compliance, it does not have a comprehensive federal privacy law. Meanwhile, Singapore and other countries in the region have begun implementing comprehensive compliance programs as well as innovative cybersecurity and privacy law. Singapore’s approach to these fields pairs well with Flanagan’s experience and scholarship.
In fact, the interest is so widespread throughout Asia that Flanagan was selected to author a series of books for LexisNexis about cybersecurity and privacy for several major countries in Asia, including Singapore, Malaysia, Thailand, Indonesia, Vietnam and the Philippines.
Data Privacy and Cybersecurity Law: Risks and Mitigation, the first book in the series, will include a discussion of the cybersecurity and data privacy legal situation in several Asian states and will be published in 2021.