Businesses can be severely affected by data breaches, especially if there is a lack of compliance with data protection laws. More than half of the income of organisations with considerable compliance concerns is lost due to data breaches than those with less compliance difficulties. Despite this, just 59% of chief legal officers have a “full framework for handling their business data,” according to the Association of Corporate Counsel.
The increased financial and legal risks associated with insufficient data privacy measures have prompted company legal departments to step up and assume responsibility together with IT departments, whereas IT departments have historically handled all data-related concerns.
Corporate legal departments can apply these five risk-management techniques to help secure their company and its data:
Internal data security and privacy audits are a good starting point.
Two significant sectors, each controlled by a different company, should be examined as part of this audit. Legal departments in corporations should check to see if current data processing practises comply with current privacy regulations, and IT teams should look for security problems.
As far as data privacy, most people focus on client information, but employee information is also vulnerable. Employee privacy lawsuits and the “willingness of courts to sanction firms” for failing to secure sensitive information are on the rise, according to Forbes.
Compliance with new data privacy regulations has been listed as a top legal department priority in the 4th Annual Study of Effective Legal Spend Management because noncompliance with these requirements costs firms 2.71 times as much in the long run.
Legal counsel must look at data privacy regulations, including the EU’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act Privacy Rule, the California Consumer Privacy Act (CPPA), and any applicable state and municipal requirements. Data storage, access, use, and protection processes may all be judged for compliance by comparing them to the aforementioned regulatory standards.
In-house attorneys will be walked through all of the various data types and procedures by IT, with an emphasis on the flaws in the technology. Homegrown and old software built on “spaghetti code” may be risky, as can unsecured virtual private networks (VPNs) used by remote workers.
IT should be consulted when the audit is complete to determine the next steps. According to urgency and whether or not they require C-suite approval, these actions can be categorised as website privacy notice updates vs. cyber insurance or new cybersecurity solutions.
Help with the establishment of stringent training processes for new hires
A survey by Egress found that, despite human error being a primary cause of data breaches, IT leaders ranked it last on their list of worries. As a result, employee education is often overlooked when it comes to boosting data security, despite its importance to a strong cyber defence. The legal departments of corporations should engage with IT and human resources to oversee substantial, mandatory cybersecurity training programmes on the policies and best practises of the organisation.
An employee’s “human firewall” is only effective if the employee has the proper cybersecurity training and competence, according to KnowBe4. According to Egress, 74% of companies surveyed had a data breach as a consequence of “breaking security norms” by workers, while 73% experienced phishing scams of some kind. To commit phishing, a hacker creates an email that seems legitimate but contains malicious links or attachments in the aim of deceiving a recipient into giving personal or financial information or installing malware.
To minimise risk and potential responsibility, include the following in training materials:
Who can access what data and with whom may they share that info? (and why)
How to Protect Yourself From Phishing Scams While Working From Home
Guidelines for generating strong passwords and avoiding the reuse of previously used passwords
applicable data privacy laws are briefly described below.
Data breaches caused by lapses of judgement in relevant industries
An explanation of the ramifications of violating the cybersecurity policy of the firm.
Who should be notified if any questionable cyber activity is discovered?
When new security technologies and processes are implemented, you may help with the development of an effective change management strategy. In this way, regulatory standards are met for all recorded procedures.
Decide on a plan of action in the event of a disaster.
Data breaches can happen despite your best efforts at security and training, so you need to be prepared in the event that they do. For both mitigating the consequences of a breach and decreasing the probability of lawsuit, it is critical to have a well defined response strategy in place. A “disruptive security issue” occurred in 62% of organisations with “less formal or consistent strategies,” compared to 39% of organisations with “formal security response plans.”
If you’re planning an incident response, Leonard Wills proposes that you include the following information:
In the case of a data breach, which law or rule should be invoked? Requirements for reporting information
An abbreviated part of an incident response plan for organisations subject to the HIPAA Privacy Rule follows in that form.
HIPAA’s Privacy Rule
Data breach triggers include unauthorised access by employees and other parties, improper disclosures, the release of PHI, and ransomware attacks.
The following is the name and contact information for:
- Members of the public who have been affected by the Secretary of State’s actions
- As part of your reporting obligations, include the following: Information about the breach, the types of information compromised, steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate and mitigate the harm, and contact information for the covered entity are included.
- To be on the safe side, it’s a good idea to keep track of any specific notification deadlines dictated by your organization’s data protection regulations. The GDPR, for example, mandates that companies report data breaches within 72 hours or risk a fine of 4% of their annual sales.
Vendors’ cybersecurity practises should be examined in this regard.
As part of an overall evaluation of data privacy policies, corporate legal departments should also consider their external legal advice. Third-party data breaches have the greatest financial impact on a business, according to a Kaspersky analysis, and law firms are not exempt from this rule. Cyberattacks against law companies accounted for over 40% of all professional services business cyberattacks in the first seven months of 2021.
There are several reasons why cyber attackers target law firms, including the fact that they often fall short of cybersecurity requirements and have access to valuable consumer information. RFPs for new suppliers should include inquiries regarding cybersecurity and compliance with data privacy standards in order to avoid associating with the most risky law companies. These indications should be accorded the same weight as more traditional qualifications, such as the expertise and pricing of legal practitioners. To guarantee that all vendor contracts have data protection terms, corporate law departments can engage with sales.
It’s a good idea to get in touch with current providers to find out how they store and safeguard client data. You may need to choose a different legal service provider if they can’t give you a particular response or if there are several red flags.
- Keep abreast of the most current modifications to data rules.
Joel Smith, senior vice president of legal and general counsel at Trustwave, observed that in-house teams now face “more rigorous” rules than they did even five years ago. Joel Smith. “The legal team cannot effectively advise on the risk if it lacks cybersecurity competence,” according to such specific criteria. Companies’ legal teams must keep abreast of the latest developments in data privacy legislation in order to provide the best possible advice.
Even while it may seem tough to find the time to study up on all of these specific criteria, it is better to be safe than sorry. With 30 minutes of your time each week, you can avoid the 287-day average of a full-blown breach that would otherwise take you months to repair.
To help you learn more quickly, here are a few simple tips:
- Be informed by subscribing to Law360’s Cybersecurity & Privacy section email.
- Consider subscribing to the ABA Journal’s Privacy Law section and keeping up with the ABA’s Privacy and Data Security Committee on Twitter.
- A smart place to begin is by subscribing to the blogs and email newsletters of leading cybersecurity firms, such as Hunton Andrews Kurth.
- Register for CLE webinars about cybersecurity and data privacy hosted by local and state bar organisations.
- Contact your IT department if you need additional information on a certain subject! Because you’re working together to minimise risk, knowledge exchange is crucial.
Ahead of the curve are legal departments that place a high value on data privacy compliance.
The norms for protecting personal information will shift in lockstep with new developments in technology. Businesses benefit from proactive assurances of compliance and efforts to establish a cybersecurity culture, which demonstrate the value of forward-thinking strategists.