|DATA BREACHES: Firms are becoming more |
In talking data breaches, it’s difficult to ignore the horror stories. Millions of consumers globally have fallen victim to lost customer records – whether through malicious activity or human error – leaving their identities at the mercy of wherever the data leaked.
If recent research into the issue is anything to go by, then consumers and businesses alike have cause for concern.
According to a survey of 156 organisations with more than 100 employees by Bread and Butter Research on behalf of Symantec, more than 80 per cent had experienced some form of data breach.
It’s a problem that has progressed through the evolution of technology, and one that is being addressed through proposed privacy reform.
The changes may mean yet another piece of regulation that will need the attention of not just the executive board, but their legal, technology, risk and human resources departments.
For the in-house lawyer this process may mean some necessary bonding with IT, HR and the risk manager.
Although the risk of a data breach has increased with the evolution of technology, Andrew Walls, research director at Gartner, says the basic threat of data loss has been the focus of security efforts for hundreds of years. As such, basic business practices have naturally evolved that embed security concepts into routine work processes.
“This process may be as simple as using a locked file drawer for highly confidential papers,” he says.
It sounds simple, but for data spreading far beyond the hard copy, how does good security sense translate to protecting against hacked systems, human error, malicious activity and the portability of electronic information?
Ultimately it is up to the executive team of an organisation to ensure their business is doing as much as possible to reduce the risk of data loss. The consequences of such a loss mean the in-house lawyer, with or without representation on the board, may well find their role adapting to preparing for the potential risks, and dealing with the price of any breach, as dictated by privacy reform.
Walls believes in-house lawyers won’t necessarily be involved in the day to day management of data prevention with the proposed privacy reform, but may well find a greater role in dealing with the consequence of a leak, to manage the legal impact of disclosing – or not disclosing – the breach.
Walls says that in-house lawyers will not be able to offer effective advice to their employers if they are not conversant with, and frequently using, the technology platforms on which their organisations depend. He offers a simple solution for lawyers: take their technology counterparts out to lunch and ask them to share their darkest fears on data loss.
“This discussion will not develop in a lawyer a deep understanding of the technology involved, but it will build a basic understanding of the level of actual control that is currently in place to manage data security and the level of residual risk to which the enterprise is exposed,” he says.
According to James Moore, special counsel at Mallesons, dealing with the prevention – and any clean-up – of a data breach will be one of many issues in-house counsel will need to manage. He doesn’t believe the background and experience that ensures a successful in-house lawyer will change, but that they may find themselves working in more cross-functional teams to deal with the risk.
“Parts of the response to privacy issues may involve technical solutions,” says Moore. “However, it is not necessary to be expert in all facets of a technological solution to understand that it its part the response.”
Steve Martin, mid-market manager at Symantec, agrees that the legal department should be getting more familiar with the IT department and the breakdown of technology, to be able to effectively advise on just what data needs to be protected by their company, and what policies and processes will be defined to mitigate the risks of a breach.
“It is usually only when something goes wrong that the legal department becomes involved – which is usually too late,” says Martin.
Breaking down communication barriers between departments might be necessary, says Martin, meaning the elimination of technical jargon from the IT department, and the simplification of legalese communicated by lawyers.
Martin finds that while most people understand the risks of data loss and its consequence, few have any idea about how to alleviate such risk. “So risk managers need to leverage the expertise of lawyers, IT staff and line of business managers to discover where confidential data resides, monitor how it is being used and develop a protection strategy to best prevent the loss of this data,” he says.
In-house lawyers will play their role, but, ultimately, the effectiveness of data prevention strategies will come down to the ability of all business managers to ensure end-users take note of policies, procedures and technology. Walls says: “Data loss is minimised through good people management and minimisation of the amount and type of data being managed.”
But lawyers will still be relied upon to do what they do best: clarifying the legal obligations for data loss prevention and ensuring regulatory and contractual obligations are in line with industry standards.
>> For the latest news, views and analysis of issues affecting in-house lawyers, check out Lawyers Weekly's dedicated in-house site www.lawyersinhouse.com.au