INSIGHT: GCs Tackle Key Role in Data Protection—Balancing Ethics and Security

Our expanded reliance on information reaches all business domains, especially in the legal profession. Attorneys may not traditionally be known as early adopters of new technology, but current reality proves law firms and corporate counsel alike rely on data for their own operations, as well as to support clients and organizations they serve.

The increasing volume of data related to legal responsibilities and oversight, along with emerging regulations regarding its protection, imposes new levels of accountability, liability, and ethical duties onto the legal practitioners entrusted with it.

Rather than regarding data security as just IT’s domain or a burdensome obligation, general counsel and their legal departments will be best served by assuming proactive involvement with cybersecurity. That includes asking their company’s IT team questions about corporate cyber policies, working with them to understand their technology infrastructure and policies on vendor security, and taking a lead role in establishing data governance procedures and protocols.

Understanding Tech Issues Is Vital

It’s imperative for GCs to understand these technical issues to ensure their own operations are keeping sensitive data private and secure. Further, they need to understand the potential liabilities their organizations face in the event of a breach, and those liabilities are compounding.

Proliferating new regulations—such as the EU’s GDPR, the APEC Privacy Framework, the California Consumer Protection Act, and a patchwork of laws across the United States—creates a far more complex compliance environment than ever before. Although legal departments in some organizations may hold compliance responsibilities, it is generally managed as a separate function in other organizations.

Prone to an abundance of caution, compliance teams may sometimes conflict with IT, usually under great pressures from the business, to enable operational functionality at a competitive pace. Given how widespread data is now, it’s not unusual for IT to have lost adequate track of their data diaspora.

In tense situations between compliance and IT, legal can serve the important function of quarterbacking the two—making sure all appropriate requirements are met and promoting understanding of the risk trade-offs that may be needed to favor important business initiatives.

What’s more, a GC is likely to be called upon to lead an organization’s response to a data breach. This makes sense, given that a data breach involves an array of multifaceted legal issues. GCs have visibility into cybersecurity planning and compliance activities, as they fill a natural role as the line of communication to legal authorities and government agencies.

In today’s complex and rapidly developing technological landscape, it’s important that legal practitioners lead the charge in going beyond just compliance, to ensure ethics are deeply embedded into everyday decisions when handling and managing sensitive data from their clientele.

Steps to Take

What are some practical steps that GCs and legal departments can readily take to ensure stronger data protection?

First, implement scenario-based training on a regular basis and establish universal ethical guidelines that goes above what’s expected under the law. This will help to ensure organizations are prepared for a variety of disputable situations, as well as form a preventative foundation across an organization.

Next, minimize access to the data. In some environments, too many employees have unfettered access to sensitive data—even to information not related to the performance of their work. Institute a “need to know” policy: reduce file sharing, set user permissions so that data is only editable by those who need editing authority, and institute a stringent system to keep better track and control of who has access to what.

Deploy certain restrictions when accessing the internet. Limit what sites employees can browse and restrict what they can do with their computers as well as with their personal devices that may access the company’s network. It is unfortunately easy for even the best-intentioned employees to click on malicious links that look completely legitimate. Bad actors are always lurking for any opportunity to get their hands on data from connected devices.

A good document retention policy can also go a long way toward reducing the amount of data companies are managing. There is an added benefit of limiting the number of documents available for discovery should the company face litigation. A comprehensive approach to records retention—and destruction—is crucial to protecting sensitive data.

Finally, use caution when engaging outside counsel with third parties—especially if they are new vendors with whom you’re unfamiliar. Artificial intelligence technologies can thoroughly vet these external sources for their own compliance and security safeguards, as well as other criteria like their past experience and qualifications. Clearly define a set of responsibilities in the initial agreements with the vendor. If they can’t assure their practices are trustworthy and ethical, perhaps it’s best to move on to a different provider.

Whether we like it or not, cyber threats and information security are among the most pertinent problems organizations face today and in the years to come. GCs that demonstrate a commitment to information security with an ethical framework in place from the get-go will be seen as leading the charge in an important fight against those threats.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Mili Desai spent nearly 10 years as a litigator before leaving the practice of law to focus on transforming the legal industry through the application of technology and innovation. She currently works as a director in the legal sector at Globality, a company committed to promoting economic inclusion by using AI to digitally transform sourcing.