Cyberattacks are a pressing concern for almost every organization, their partners, and customers. Besides damaging a business’ operations and exposing sensitive information, data breaches can have an immediate financial impact too. As per IBM’s Cost of a Data Breach Report 2022, the global average cost of data breach reached $4.24 million in 2021. While the IT department usually takes care of many of the data-related tasks, the rising legal and financial risks of compromised data privacy measures have led in-house legal departments to come forward and take on the responsibilities together with IT.
Below are fives ways legal departments can help protect their organization and its data:
1. Perform an Internal Data Privacy and Security Audit
The internal audit covers two significant areas owned by two different parties. First, legal departments should examine whether current data management acts in accordance with updated data privacy laws, whereas IT should examine the weak points of security. When it comes to data privacy problems, we typically just think about consumer data. But employee information is equally vulnerable. According to Forbes, data privacy cases from workers are increasing, along with the likelihood of courts punishing employers who fail to safeguard their employees’ sensitive information.
So, internal counsel must examine data privacy laws like the European Union (EU)’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA), and other related privacy regulations, including everchanging EU-US privacy agreements. Mapping out these regulatory requirements can help set a benchmark to assess if data storage, access, use, and safety measures are compliant.
Legal departments might also want to have a Data Processing Agreement (DPA) in place to state setting terms for how data is stored, saved, processed, accessed, and used. Other elements like a DPOrganizer tool can be helpful to map and control data privacy for both external and internal parties.
On the other hand, IT should walk the in-house legal department through varying data types and operations and shift their focus to technical vulnerabilities. These can stem from outdated local and legacy systems or network solutions like low-cost VPNs used for remote work. Third party service providers, insider threats, cloud storage applications, unsafe mobile devices, malicious attacks, and social engineering are some other vulnerable areas of a company.
2. Assess Third Party Vendors’ Cybersecurity Practices
The organizations that are the most attractive targets for cyberattacks are usually the ones that lack cybersecurity standards and store a significant amount of sensitive client data. About 28% of critical infrastructure organizations in industries like healthcare, education, transportation, energy, technology, communication, and the public sector, have experienced ransomware attacks, while nearly 17% faced data breaches due to the business vendor getting compromised. So, it is also essential for legal departments to evaluate their third party vendors’ practices and techniques besides assessing internal data privacy measures.
As per the Kaspersky survey, third-party data breaches typically have an adverse financial effect on organizations. It reveals that about 32% of big companies that suffered attacks involved data shared with providers, where its average financial impact for one enterprise reached $1.4 M in 2021. So it is key to contact both existing and potential vendors to discuss how they store and protect client data and how they ensure compliance with data privacy laws.
Here’s a checklist of questions you can ask to assess the cybersecurity practices of a third-party vendor:
- What systems and data will the third party access?
- What type of logging and tracking does the vendor do?
- What type of data encryption does the supplier use?
- How does the vendor manage access controls?
- Which services does the vendor use to store and process data, like Google GCP or Amazon S3 (AWS)?
- Is the supplier GDPR compliant and can they explain how?
- Does the supplier have a DPA done with our company?
- Have data breaches happened? If so, what steps were followed and why in order to mitigate the risks?
Also check their commitment to protecting the company’s data, in addition to their security certifications and policies. Vendors must follow proper security protocols and pay greater attention to securing and protecting their data. It might be time to shift to another vendor for legal services if you don’t get a solid answer or find various red flags, such as:
- No or poorly documented policies on data retention and destruction, access management, data encryption, and network security
- Absence of incident detection and response plan
- Insufficient testing of vulnerability, penetration, and social engineering
- Confidential data has been leaked in the past
- Open firewalls or unpatched operating systems
- No or unclear policies around vendor management
3. Educate and Train Employees
Invest in data security can lead to significant business benefits, including financial ones. While it is imperative to run a modern organization safely, the rise in global average total cost of data breaches from $0.11 million to $4.35 million in 2022 greatly points towards the need for additional measures. The strategy for data security must be multifaceted instead of simply fixed. Regardless of the amount of money spent on this, the remaining security-based gaps within the company will affect the ROI of such investments.
It is crucial to educate the workforce on the importance of data security and compliance. A firm’s staff can serve as a human firewall; however, it only happens in the case of relevant cybersecurity knowledge and training. You cannot fully implement your data protection policies or resolve compliance risks if your staff does not understand why data security matters and how it works. Adequate training and the selection of a compliance-centered mindset across all the departments and teams goes a long way to make all prior investments and efforts worthwhile.
For example, employees should be aware of and understand the seven principles of GDPR that guide the data protection law and are the foundation for any compliance program. While obtaining and processing the data, the operational team should have knowledge about lawfulness, fairness, transparency, and purpose limitation. Legal departments should ensure that the marketing team is familiar with data minimization. Staff, especially commercial teams, should conduct regular data accuracy checks, be aware of any storage limitation date, guard the obtained data by adopting anonymization or pseudonymization, and document all steps and justify them for the greatest level of accountability.
4. Manage Data Access
In tandem with IT, legal departments should work and follow some ways to minimize the risk and potential liability to control access to sensitive information. It involves clearly defining what data can and cannot be accessed or shared by the employees. These departments must be mindful of which team members need access to confidential data and who should monitor and manage that access.
While guidelines are a great way to manage data access, having tools in place that enable the legal department to manage access policies is the way to go. Ideally, employees should only be granted access to data essential for their day-to-day tasks, and shouldn’t have access to what they don’t need. The fewer workers with access to personal data, the less the risk of errors and potential data breaches.
Tools like a contract management system, structured databases, project management tools, and a CRM will help you manage access.
5. Make an Incident Response Plan
Even in the case of great security applications and training, it is unrealistic to expect a company to be 100% protected against data breaches. With a clear response plan in place, it is easier to control the consequences of a breach and lower the chances of lawsuits. It also reduces the chances of a breach happening in the first place. For example, IBM has reported that most companies with informal or inconsistent plans faced more disruptive security incidents than some businesses with formal security response plans.
Leonard Wills, in an American Bar Association article on handling a cyber incident, recommends that legal teams should make the following information a part of their incident response plan:
- Applicable law
- Data breach trigger (unsanctioned access by users and third parties, revealing of protected information, and ransomware attacks)
- Individuals or a firm to contact (affected people or companies, and in some scenarios, the media)
- Information to add in reporting requirements (breaches described briefly, types of information that were involved in the breach, steps affected individuals should take to secure themselves from potential harm, how the breach is getting investigated, how to lessen the damage and prevent further violations, and contact details for the covered entity)
In all, ensuring data security should be a key part of every legal department’s strategy for risk management. Since new data privacy regulations continue to roll out, corporate legal departments must stay on top of the latest changes to be the most effective advisors possible. It may cause inconvenience in finding time to read up on these detailed rules, or setting up the right operations and tools, but a “better safe than sorry” approach is a strong position to adopt.
By conducting data privacy and security audits, assessing third party vendors’ cybersecurity practices, educating employees on data protection, managing data access and setting up an incident response plan, legal departments can ensure data security.
Curious to know how a CLM like Precisely enables legal teams to have control over data security when it comes to contract operations and compliance? Talk to our contract experts.