Home      Smart Legal Counsel     5 ways corporate legal departments can prioritize data privacy


5 ways corporate legal departments can prioritize data privacy

Published On : July 14, 2022




As digitization has permeated into all fields and almost all services now have gone online, so have the risks companies face from data breaches increased exponentially. This is especially true for organizations where there’s a general lack of legal compliance with data privacy regulations.

According to some market research results, companies with significant compliance issues often end up losing more than 50% from data breaches than companies with fewer compliance problems. Despite this, only about 59% of Chief Legal Officers surveyed by the Association of Corporate Counsel have incorporated a “comprehensive strategy for managing their organizational data” in their respective organizations / Legal Ops departments!

Usually, while IT departments traditionally handle everything data-related, the ever-growing financial and legal risks of poor data privacy measures have prompted corporate legal departments to step up and take proactive and complete ownership of their legal data, alongside IT.

Moving ahead, let’s now understand the five risk-management steps that corporate legal departments can take to help protect their organization and its data:

 

 Conduct a comprehensive audit of internal data security and privacy

When you undertake this audit, make sure that this audit covers two major areas owned by two different parties. First, Corporate Legal Departments should assess whether existing data management complies with up-to-date data privacy regulations, and second, Corporate IT Department should assess and mitigate security vulnerabilities, if any.

Generally speaking, most people tend to think solely of consumer data when it comes to data privacy issues, but an organization’s employee data is just as valuable, and vulnerable. As noted in Forbes, the quantum of data privacy lawsuits from employees are growing, along with “the willingness for courts to punish employers” who fail to protect their employees’ sensitive information.

In order to do so, in-house counsel must first analyze corporate data privacy laws of the geographies they operate in like say, the EU’s General Data Protection Regulation. With a complete understanding of these regulatory requirements, you can easily use them as a benchmark to evaluate if data storage, access, usage, and protection measures are in place and compliant.

Ideally, Corporate IT should walk in-house lawyers through all of the different data types and processes and turn their attention to technical vulnerabilities. These come in many forms, from homegrown and legacy software built on risky spaghetti codeto unsecured virtual private networks (VPNs) for remote work.

Once your audit is completed, review the findings with IT and determine the next steps. Vulnerabilities can be grouped by their level of urgency and whether or not they need top- level management approvals to proceed, like, say, opting for updating the website privacy notice vs. investing in new cybersecurity tools or even cyber insurance.

 

Always maintain an Incident Response Plan

Even with all of the available security tools and training, data breaches still happen — and you need to be prepared when / if it does. Having a detailed and well-defined response plan is critical to controlling the consequences of a breach and minimizing the chances of litigation, and it also significantly reduces the chances of a data-breach happening in the first place. IBM found that 62% of companies with less formal or inconsistent plans were victims of “disruptive security incidents”, as opposed to just 39% of businesses with formal and comprehensive security response plans.

Again, different data privacy regulations have different timing requirements for breach notifications, so it’s important to include notes about those as well to ensure compliance. For example, the GDPR requires breach notifications within 72 hours or companies can be subject to a fine of 4% of their total annual revenue.

 

Evaluate vendors’ cybersecurity practices

In addition to reviewing internal data privacy measures, corporate legal departments must also evaluate their outside counsel. According to a survey conducted by Kaspersky, third-party data breaches take the highest financial toll on an organization, and unfortunately, law firms are no strangers to data leaks. The survey noted that in the first seven months of 2021, approximately 40% of all cyberattacks on professional services firms were on law firms.

Law firms become enticing targets for cyber criminals because they are generally perceived to be weak in implementing cybersecurity standards and yet they have a wealth of sensitive client data. To avoid your company working with the highest-risk law firms, try and include questions about cybersecurity and compliance with data privacy laws in your RFPs for new vendors. These metrics should have equal (or even more!) weightage as more traditional legal qualifications like legal professionals’ experience and pricing. Additionally, corporate law departments can work with the organization’s sales team to ensure that well-defined and comprehensive data protection clauses are included in all vendor contracts.

Coming to existing vendors, it’s always a good idea to reach out to discuss how their firm stores and protects client data. If they can’t give you a concrete answer or provide conclusive evidences, or you notice that there are multiple red flags, then it might be time to switch to a different vendor for legal services unless they proactively mitigate the situation.

 

Stay on top of the latest changes in data regulations

In-house teams today have to contend with way more “prescriptive regulations” than they did even five years ago. With such specific guidelines, if the legal team doesn’t have adequate and relevant cybersecurity expertise, it can’t properly advise on the risk. As newer and more stringent data privacy laws continue to roll out, corporate legal departments have to stay apprised of these changes to be the most effective advisors possible.

It may initially seem like an unnecessary hassle finding time to read up on these detailed regulations, but then, as they say, “an ounce of prevention is worth a pound of cure”. By taking, say, 30 minutes a week now, you can save yourself from dealing with a breach that eats up significantly more of your time — a single data-breach takes an average of 287 days to completely resolve.

 

If you need additional context on a topic, reach out to your in-house IT department! Since you’re working together to mitigate risk, exchanging knowledge is key to successful collaboration.

 

Help implement thorough employee training processes

 

Even though human error is generally considered the most common cause of data breaches, IT leaders surprisingly ranked it at the bottom of their list of concerns in the Egress’ Insider Data Breach Survey 2021. So, by extension, employee training remains an underutilized tactic for improving data security, but it’s an absolute must to a strong cyber-defence. Corporate legal departments should work with both IT and Human Resources to oversee robust, mandatory training initiatives on company cybersecurity policies and best practices.

A company’s employees can serve as a “human firewall” — but only when they have the appropriate cybersecurity knowledge and training. Market research has found that approximately 74% of surveyed companies experienced a data breach because of their own employees “breaking security rules,” and 73% suffered phishing attacks. Phishing happens when a cybercriminal sends a fake email that’s meant to get an employee to reveal private information or click on a link to trigger malicious software.

When it comes to employees, your best chance of minimizing risk and potential liability is to include the following in all documentation and training materials:

 

  • What data can and can’t be accessed or shared by employees (and why)
  • Cybersecurity guidelines for remote work
  • How to identify phishing scams and examples
  • Best practices for creating strong passwords and avoiding password reuse
  • Brief summaries of applicable data privacy laws
  • Relevant industry examples of data breaches caused by human error
  • Clear explanations of the ramifications of violating company cybersecurity policies
  • Who to contact with concerns about any suspicious cyber activity

Additionally, you can devise and implement an effective Change Management Plan when new security tools and procedures are rolled out. This way, all documented processes will meet regulatory compliance.

 

To sum it all up….

As technology advances and morphs, so will data privacy regulations. Your efforts to proactively ensure compliance and create a cybersecurity culture will help you lower risk for your organization while simultaneously proving your team’s value as forward-thinking strategists.