5 ways corporate legal departments can prioritize data privacy
Companies face massive consequences from data breaches, especially when there’s a lack of legal compliance with data privacy regulations. Companies with significant compliance issues end up losing more than 50% from data breaches than companies with fewer compliance problems. Despite this, only 59% of chief legal officers surveyed by the Association of Corporate Counsel have a “comprehensive strategy for managing their organizational data.”
While IT departments traditionally handle everything data-related, the growing financial and legal risks of poor data privacy measures have prompted corporate legal departments to step up and take ownership alongside IT.
Here are five risk-management steps that corporate legal departments can take to help protect their organization and its data:
1. Conduct an internal data security and privacy audit
This audit should cover two major areas owned by two different parties. Corporate legal departments should assess whether existing data management complies with up-to-date data privacy regulations, and IT should assess security weaknesses.
Most people tend to think solely of consumer data when it comes to data privacy issues, but employee data is just as vulnerable. As noted in Forbes, data privacy lawsuits from employees are growing, along with “the willingness for courts to punish employers” who fail to protect their employees’ sensitive information.
Company non-compliance with data privacy regulations costs them 2.71 times more in the long run, so it’s no wonder that “ensuring defensibility and complying with new data privacy laws” was listed as a top legal department priority in the 4th Annual Study of Effective Legal Spend Management.
To do so, in-house counsel must analyze data privacy laws like the EU’s General Data Protection Regulation, the Health Insurance Portability and Accountability Act Privacy Rule, the California Consumer Privacy Act, and other relevant state and local regulations. With an understanding of these regulatory requirements, you can use them as a benchmark to evaluate if data storage, access, usage, and protection measures are compliant.
IT will walk in-house lawyers through all of the different data types and processes and turn their attention to technical vulnerabilities. These come in many forms, from homegrown and legacy software built on risky “spaghetti code” to unsecured virtual private networks (VPNs) for remote work.
Once the audit is completed, review the findings with IT and determine the next steps. These actions can be grouped by their level of urgency and whether or not they need C-suite approvals to proceed, like updating the website privacy notice vs. investing in new cybersecurity tools or cyber insurance.
2. Help implement thorough employee training processes
Even though human error is the most common cause of data breaches, IT leaders ranked it at the bottom of their list of concerns in Egress’ Insider Data Breach Survey 2021. So, employee training is an underutilized tactic for improving data security, but it’s key to a strong cyber defense. Corporate legal departments should work with IT and human resources to oversee robust, mandatory training initiatives on company cybersecurity policies and best practices.
Cybersecurity company KnowBe4 says a company’s employees can serve as a “human firewall” — but only when they have the appropriate cybersecurity knowledge and training. Egress found that approximately 74% of surveyed companies experienced a data breach because of employees “breaking security rules,” and 73% suffered phishing attacks. Phishing is when a cyber criminal sends a fake email that’s meant to get an employee to reveal private information or click on a link to trigger malicious software.
Your best chance of minimizing risk and potential liability is to include the following in training materials:
- What data can and can’t be accessed or shared by employees (and why)
- Cybersecurity guidelines for remote work
- How to identify phishing scams and examples
- Best practices for creating strong passwords and avoiding password reuse
- Brief summaries of applicable data privacy laws
- Relevant industry examples of data breaches caused by humor error
- Clear explanations of the ramifications of violating company cybersecurity policies
- Who to contact with concerns about any suspicious cyber activity
Additionally, you can help implement an effective change management plan when new security tools and procedures are rolled out. This way, all documented processes will meet regulatory compliance.
3. Create an incident response plan
Even with heightened security tools and training, a data breach can still happen — and you need to be prepared if it does. Having a clear response plan is critical to controlling the consequences of a breach and minimizing the chances of litigation, and it also lessens the chances of a breach happening in the first place. IBM found that 62% of companies with “less formal or consistent plans” were victims of a “disruptive security incident,” compared to just 39% of businesses “with formal security response plans.”
In the American Bar Association article “A Brief Guide to Handling a Cyber Incident,” Leonard Wills recommends that legal teams include the following information in an incident response plan:
- Applicable law or regulation
- Data breach trigger
- Person or organization to contact
- Information to include in reporting requirements
Following that template, this is what an abridged incident response plan section could look like for companies subject to the HIPAA Privacy Rule:
HIPAA Privacy Rule
- Data breach trigger: Unauthorized access by employees as well as third parties, improper disclosures, the exposure of protected health information, and ransomware attacks
- Person or organization to contact: Affected individuals, the Secretary, and, in certain circumstances, the media
- Information to include in reporting requirements: A brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity
Different data privacy regulations also have different timing requirements for breach notifications, so it’s important to include notes about those as well to ensure compliance. For example, the GDPR requires breach notifications within 72 hours or companies can be subject to a fine of 4% of their total annual revenue.
4. Evaluate vendors’ cybersecurity practices
In addition to assessing internal data privacy measures, corporate legal departments also need to evaluate their outside counsel. A Kaspersky survey found that third-party data breaches take the highest financial toll on an organization, and, unfortunately, law firms are no stranger to them. In the first seven months of 2021, approximately 40% of all cyberattacks on professional services firms were on law firms.
Law firms are enticing targets for cyber criminals because they typically fall short on cybersecurity standards but have a wealth of sensitive client data. To stop your company from working with the highest-risk law firms, include questions about cybersecurity and compliance with data privacy laws in your RFPs for new vendors. These metrics should have equal importance as more traditional qualifications like legal professionals’ experience and pricing. Additionally, corporate law departments can work with sales to ensure data protection clauses are included in all vendor contracts.
When it comes to existing vendors, it’s a good idea to reach out to discuss how their firm stores and protects client data. If they can’t give you a concrete answer or there are multiple red flags, it might be time to switch to a different vendor for legal services unless they remedy the situation.
5. Stay on top of the latest changes in data regulations
Joel Smith, Trustwave senior vice president of legal and general counsel, notes that in-house teams now have to contend with “more prescriptive” regulations than they did even five years ago. With such specific guidelines, “if the legal team doesn’t have cybersecurity expertise, it can’t properly advise on the risk.” As new data privacy laws continue to roll out, corporate legal departments have to stay apprised of these changes to be the most effective advisors possible.
It may seem like a hassle finding time to read up on these detailed regulations, but an ounce of prevention is worth a pound of cure. By taking, say, 30 minutes a week now, you can save yourself from dealing with a breach that eats up significantly more of your time — one breach takes an average of 287 days to completely resolve.
Here are some quick tips to speed up the learning process:
- Sign up for the Law360 Cybersecurity & Privacy section newsletter for coverage on recent cases.
- Follow the American Bar Association (ABA) Privacy and Data Security Committee and check out the ABA Journal’s Privacy Law section.
- Subscribe to blogs and email newsletters from notable firms with cybersecurity practice areas, such as Hunton Andrews Kurth.
- Register for cybersecurity and data privacy CLE webinars with local and state bar associations.
If you need additional context on a topic, reach out to your IT department! Since you’re working together to mitigate risk, exchanging knowledge is key to successful collaboration.
Corporate legal departments that prioritize data privacy compliance will stay ahead of the curve
As technology continues to advance and change, so will data privacy regulations. Efforts to proactively ensure compliance and create a cybersecurity culture will help you lower risk for companies while proving your team’s value as forward-thinking strategists.
If you’re trying to convince your C-suite about the need to bring on advanced legal technology, make sure they know how heightened security features can offer more protection against costly data breaches and potential litigation. Check out a demo of SimpleLegal’s secure legal platform in action and learn more about how we protect legal operations’ data.