Keeping internal tech teams up to date on legal and compliance trends is a never-ending task for many corporate legal departments. But it remains an important one, as CIOs and CISOs developing technology plans for a company need to account for these requirements and more. Security threats, mobile employees and a changing regulatory climate can keep good general counsels awake at night. Along with their CIOs, GCs must look to update their technology and processes to steer the ship through these challenges in a rapidly changing information age environment.
How Secure Is Your Data?
There are many great lists that you would like to see your corporation listed on, but I will bet this isn’t one of them: Krebs on Security. How you interact with your CISO or CIO to manage your company’s security risks is crucial in keeping you off this dreaded list. You may think that you have everything locked down, but you are facing an indomitable foe every day – clever cybercriminals. Who is going to be responsible for handling the legal consequences in the aftermath of an incident? Just look in the mirror.
It is a heavy responsibility to keep customer, financial, intellectual property, personally identifiable and legal information safe from breach. Cisco’s Annual Security Report in 2016 said that 65 percent of organizations feel that they face a significant level of security risk. Additionally, Bomgar’s Vendor Vulnerability Report stated that 55 percent fear a breach resulting from vendor access will occur over the next year, while 20 percent believe the same will happen at any time after one year. A practical reminder – be sure your technical teams are requiring all vendors to adhere to the highest security standards and have a protocol to immediately inform you of any breach.
Creating a detailed map of all of the organization’s data repositories is critical. Unless the organization knows what it has, where it resides within the organization and who is responsible for the data, it cannot respond quickly or effectively to data loss. By creating a detailed data plan with your CIO, CISO and internal stakeholders, you can determine what types of information you have, where it lives and who has access to it inside and outside of your organization. If your organization doesn’t yet have an incident response (IR) plan, insist on it before you experience a cyber or other security breach. Part of that IR plan will outline what steps must be taken to rapidly investigate where and how the breach occurred; what data, if any, was compromised; if the breach is ongoing; and how to remediate it. This is where having a data map, including the locations of sensitive legal and matter, becomes critical.
BYOD: Your Recurring Nightmare
Did you know that approximately 78 percent of security incidents in 2015 were caused by employees? Forgetfulness, like leaving a mobile device behind in a restaurant where it can be snatched up by a would-be bad actor, is contributing to this alarming trend.
It is no wonder that mobile is a leading cause of security incidents. Studies report that 68 percent of U.S. corporations permit bring your own device (BYOD) policies for work purposes. However, according to Verizon’s 2016 Data Breach Investigations Report, only 23 percent of organizations say that securing mobile devices is a top priority in the next 12 months. Worse yet, the Ponemon Institute found that almost half of employees disable company-required security on their mobile phones, with IT never knowing about it.
Lost BYOD phones, tablets and laptops pose data breach and preservation risks. As In Re Pradaxa showed us, simply failing to instruct employees on deleting text messages from their BYOD devices can lead to costly sanctions.
The Department of Justice and the Securities and Exchange Commission, which jointly enforce the Foreign Corrupt Practices Act, recently emphasized the importance of self-reporting misconduct and cooperation as keys to favorable outcomes, such as deferred or noninitiation of prosecutions, settlements and reduced financial penalties.
Further, in a recent interview Hui Chen, the recently appointed compliance counsel expert at the Department of Justice, discussed the evolution of compliance standards. Compliance can no longer be just a slide deck or pretty graphs rolled out to employees. It must be a policy that is a top-down commitment from the leadership to all stakeholders.
I believe that compliance works only when the ownership and the commitment are shared, and that means the efforts of ensuring compliance get the right resources and processes must be a shared effort. So, if technology is needed to enhance a compliance process, the IT function needs to be fighting for that resource.” – Hui Chen, Ethics & Compliance Initiative, February 2016
Does your organization have the right technology and processes in place today to effectively respond?
The Financial Industry Regulatory Authority imposed fines totaling $104 million in 2015. Rapid investigation of health information breaches, for example, is essential to meet the Health Insurance Portability and Accountability Act’s breach notification and security rules, while updated European Union data protection mandates make efficient audits and investigations essential, with 72-hour notice requirements and penalties up to 4 percent of corporate revenues. Large, highly regulated organizations must be able to monitor rogue behavior and immediately remediate problems across networks, servers and endpoints.
Share and Share Alike
General counsel need to know from their IT teams what processes are in place that involve customer and employee data. Many departments will utilize processes developed by IT when it comes to compliance issues, third-party agreements and BYOD policies. In turn, legal needs to educate the IT department on the myriad regulatory and legal issues that could affect an organization’s information infrastructure. By working together and keeping each other informed, you have the best chance of aligning on technology needs and getting the right solutions in place to meet your organization’s risk management needs.
Do you ever wish that you had an easy way to update your technical teams on the legal and regulatory considerations that are important when planning for technology purchases? If so, the AccessData eBook CIO & CISO Guide: Digital Discovery Technology Planning may help your internal education efforts. This e-book is complimentary and a shorthand way to keep your technical teams abreast of the latest trends.
Published July 5, 2016.