Over the past few years, global regulatory and technology events have prompted shifts in working practices that are threatening the safety of companies’ internal data.
Covid-19, with its rush to remote working, has exacerbated these risks. In-house legal counsels need to know how to tackle them, but are often left out of the picture when relevant decisions are made in their own organisations.
During The Lawyer’s General Counsel Strategy Summit, in association with UnitedLex, two experts from consultancy Lighthouse hosted a roundtable on this increasingly pressing challenge. Mike Brown, EMEA sales director, and James Hart, a governance risk compliance consultant in the company’s global advisory services unit, gave a group of in-house lawyers an overview of the historical evolution of the problem, and what GCs can do to fix it.
For years, the legal industry has been supporting companies with advisory work in investigations into data breaches and cybersecurity. But, on the client front, in-house lawyers have rarely taken the lead on elaborating governance and compliance strategies for their companies.
There have been three significant changes affecting the workplace which might create big problems for legal teams in the future. First, the large-scale move to could infrastructure across organisations has shown their weaknesses in generating and storing information as they seek to migrate legacy systems into online environments.
Then, the arrival of GDPR legislation in 2018 put their data governance practices under the spotlight, with the risk of hefty fines.
Most recently, the Covid-19 pandemic has accelerated the need for a sound data governance framework. With the rise in remote working, companies have accelerated their investments into collaboration technologies. The combination of a dispersed workforce with extensive access to new communication and collaboration platforms has created a new threat in relation to the use of data within corporates.
While workplace tools help staff members stay in touch and increase efficiency, there is a significant risk on the data generated from their devices and how it is controlled – or not.
As companies deployed products such as Zoom, Microsoft Teams, Slack and Yammer, they did not spend much time on making sure their implementation was done while complying with data security guidelines. But these tools are as easy to deploy as they are risky to control.
Through conversations in the market and a survey, the consultants showed that legal teams have often not been involved in the deployment of these technologies, even where there were concerns around their implementation.
“Legal teams are not driving forces in these projects, which are carried out by IT departments,” said Brown. “This causes problems because the ultimate responsibility for data in organisations eventually falls under legal.”
The situation becomes problematic, the consultants explained, when data keeps increasing but is not reined in by the right governance framework. Teams don’t know where information characterised by different degrees of sensitivity is located. They don’t even know for how long it has been or will be stored – and for what purpose. “It is like a Pandora box,” James Hart explained.
While these data operations are usually led by IT departments, legal should assist with scrupulous compliance checks. The duo guided participants through the process of assessing data landscapes within an organisation. They focused especially on Microsoft 365 environments, the one Lighthouse deals with most frequently due to its widespread adoption across a number of industries.
This type of assessment usually involves a review of the entire data lifecycle within specific companies, including questions on where it is stored, how sensitive it is, how it circulates within and outside the organisation, and the resulting security threats it poses.
These checks help to see how much data has been retained by a company over a period of time, showing the risks of keeping personal employee or commercially sensitive information after it has no longer operational value. In this context, a legacy data disposal programme can help get rid of it to comply with retention laws.
Information stored in systems can be categorised with labels based on levels of relevance and sensitivity and stored in the right environment accordingly. These remediation exercises help fix issues around old company data, but the right system can also involve software to monitor the activity of current information as it enters and exits the organisation. General counsels can decide whether they should put mechanisms in place to restrict circulation or just remind employees of existing policies.
Having a platform to get insights into data and understanding how it is being managed becomes an urgent issue in the context of the pandemic. “We have seen significant changes on how information was managed pre-Covid19. Before it was just emailed, now it is constantly shared via other means such as Sharepoint or even Teams,” Brown said.
Employees are using the software adopted during the pandemic as they like, generating even more data that threatens privacy and safety. They can do whatever they want and the technology supports it. “There obvious disconnect between what technology can do and what it shows you,” he added.
The scenario presented by the consultants worried one GC when it comes to visibility over data flow. “What is the endgame for those companies not having data retention policies? What is going to happen?,” he asked.
The consultants said regulatory scrutiny looms over, with the risk of investigations and disputes. But there are more positive incentives to establishing a clear framework. It allows to control and find data within systems more easily and to monitor its circulation with alerts that flag up dangerous transfers.
Otherwise, GCs will find themselves dealing with an increasing amount of data just because nobody pushes to delete it. In the context of court proceedings, a judge might question this lack of ethics and governance.
The GC of a fintech said they, too, said he was guilty of having deployed products like Zoom or Teams in a move that favoured expediency at the expense of security. “Compliance and risk teams are aware of it, but banks want to be able to deliver in short time frames. From the legal perspective, sometimes we are not thinking about the consequences carefully enough,” he noted.
Another participant said they tend to record conference calls for those who were absent on Webex. But they don’t know where the recordings are being held by the provider. “Do we really know where these providers store our personal and company information?,” he wondered.
The consultants said these are all central part of the strategies that are often neglected and should instead be a core element of the decision-making process around remote working early in the pandemic. “Covid-19 has accelerated need to work remotely, but it is not straightforward to know where data and messages are kept,” Brown said. There might be the need to refresh polices so they reflect new storage circumstances. “People are rushing but caution needs to be taken.”
Legal teams can achieve control by adding reporting lines, educating the workforce on the risks for their specific organisations or appoint supervisors to monitor data flows.
If operations are centralised and supervised, it makes it easier to conduct reviews and tackle incidents. “It is a constant moving target, so it is critical for legal to take a seat at the table,” he concluded.