An annotated review of Information Governance Insights columns from 2017
The scope of corporate counsel duties has changed rather rapidly and drastically in the past decade. As companies have quickly begun to digitalize nearly every aspect of their operations, digital information has become the lifeblood and primary asset of nearly all business, in every industry, in every sector. Whether a company makes or sells widgets, transports goods or people, facilitates markets or financial transactions, or provides services of any sort, in the past few years it has also become an information business. The volume of digital information flowing through companies has also grown exponentially in this same short period. Rapid digital transformation has brought to the forefront a whole host of novel legal issues that cannot be ignored. Information creates great value to the enterprise, and anything of value also presents risk. This shift has in turn pushed counsel into the role of information stewards, charged with ensuring that the mountains of data collected, created, stored and utilized across the enterprise are managed in a compliant and responsible manner and properly protected.
Most litigators first become aware of these data mountains when struggling to respond to discovery requests. Electronic discovery has been a primary component of most legal department budgets for nearly a decade now, at least since it was first formally recognized by the Federal Rules of Civil Procedure. Today it is a significant cost for nearly every legal matter. The scope of e-discovery has equally expanded. Early matters focused nearly exclusively on email communications and loose electronic office documents. Yet, as the proliferation of data across the corporate environment has expanded, e-discovery has begun to implicate a much larger breadth of systems.
Nowhere is this more evident than with the challenges of preserving, collecting and disclosing information from structured database systems, which I detailed in April 2017 (see “Preserving and Collecting Structured Electronic Data Is Tricky”). The identification and collection of information from these systems can be very complex. Unlike email systems, which tend to be static over time, most corporate database systems have grown organically over decades and have been pieced together through multiple rounds of mergers and acquisitions. They also tend to be transactional in nature and not designed to meet the needs of litigations, which are often aimed at re-creating history. Isolating potentially relevant information and extracting it into a reasonably usable format is a very complex task. These challenges are so great, in fact, that my firm has built a specialized practice group solely dedicated to extracting and analysing structured data for litigation purposes.
No part of e-discovery is easy, and counsel should not have to go at it alone. Nor should they need to reinvent the wheel for each new matter. As part of fulfilling their role as corporate data steward, they need to team with trusted advisors who can share industry best practices and their experience toward solving these complex problems. In this quest, it may often be difficult to know where to draw the line when deciding what to attempt on your own and when to get help (see April’s “Bringing E-Discovery In-House”). In the face of mounting budget constraints, it also can be tempting to try bring the whole spectrum of e-discovery services in-house. In November, I discussed some of these challenges and provided insight into how to measure the true value of e-discovery services when working with and assessing vendors (see “Measuring the True Costs of E-Discovery”).
E-discovery isn’t corporate counsel’s only data challenge, however. Today’s regulatory environments also require that counsel properly leverage corporate data assets to meet the company’s compliance obligations. For example, anti-money laundering and anticorruption regulations around the globe now require the analysis of complex data sets in a proactive manner in order to avoid missing red flags and anomalous client behaviors. Companies must also be proactive in order to take advantage of penalty reduction programs that favor self-disclosure (see “Spotting Corruption in the Wild”). Unfortunately, with mountains of data to sift through, the only way compliance programs can root out potential misconduct is to custom-tailor analytical procedures so that they can locate the anomalous signals in all the daily noise. Enforcement agencies themselves, such as the Department of Justice, the Securities and Exchange Commission and the Financial Industry Regulatory Authority, have all instituted their own data analytics programs, which alone clearly evidences the need for corporate counsel to stay ahead of the curve and ascend the digital mountain.
Other challenges come in the form of data protection requirements. Hardly a day passes without a new data breach headline in the news, and hardly a month goes by without a new data protection regulation of some form or another being enacted. Foremost on most companies’ radar today is the pending General Data Protection Regulation that takes effect this spring across the European Union. Since its extraterritorial reach extends to any company that has business activities in the EU or that directly market goods or services to individuals in the EU, even U.S. companies are scrambling to assess the regulation’s level of applicability and to understand their obligations. The biggest obstacle thus far seems to be understanding exactly how far the many new obligations under the GDPR go, and how to operationalize them across the entire enterprise. Data is highly ubiquitous in large organizations, and it can be very difficult to ferret out all the places it is stored and all the ways it is being used. This is especially true when commingled with data from other sources that may be subject to an entirely different set of regulatory protections and obligations, such as the personal information of individuals from Asian or North or South American countries, each of which have their own data protection laws. Many of these systems are also quite old and have been cobbled together over many years. They simply were not designed to carve out all the various populations and apply different sets of controls to each for compliance purposes. This alone has led to significantly large burdens on companies that have larger fragmented data systems or systems that are highly siloed by business function.
To address these issues, the most important thing corporate counsel can do right now is data mapping. Counsel must spend the time to fully understand exactly what personal information they collect, manage and process, from whom, for what purposes, and where and how it is being used. If they are unable to do this, they cannot even begin to understand their compliance obligations and what they need to do to close any gaps in this regard. This exercise should also look at international data flows and seek to understand what the legal basis is for legitimizing the transfers. As discussed in “Data Map Now to Ease GDPR Compliance,” it should also map out all the third-party service providers that are processing data on the company’s behalf and ensure that the proper contractual protections are in place.
As if all of this was not complex enough for us mere attorneys, in come the clouds. Cloud storage has itself taken center stage for the majority of corporate IT departments as they struggle to reduce capital expenditures and move company data off to third-party service providers. However, with this shift in storage also comes a shift in roles and responsibilities and increased risks and liabilities. Data privacy regulations such as the GDPR and domestic data privacy and security laws are typically storage agnostic. Transferring data to a third party’s cloud environment does not reduce corporate responsibility to protect the data. However, the many different models of cloud storage, which range from Software as a Service (SaaS) to Infrastructure as a Service (IaaS) and multiple iterations in between, can make it difficult to know which party is tasked with ensuring which controls and where the handoffs between them need to occur. (See “Managing Cyber Risk in the Cloud.”) It can also be difficult to ascertain which country’s laws apply to data and systems hosted in a distributed cloud environment, which only further complicates things. (See “Whose Laws Govern That Slippery Data? Storage in the cloud has complicated the question for companies and courts.”) In order to address these issues, counsel must have a clear understanding of what information is flowing to cloud environments, where it is being stored, and where the responsibility for each and every security control lies.
In addition to these new data steward roles for corporate counsel, in-house legal departments must ensure they are adequately prepared when the inevitable data breach hits. Responding to data breaches can be a tricky business. If not managed correctly, corporate liability can easily be exponentially compounded. The key to successfully managing any complex crisis lies in the planning. It’s important to develop a carefully thought-out process long before the fire alarms start ringing. For example, nearly all 50 states now have data breach notification requirements, some requiring notice as soon as 45 days after discovering an event. Since the average breach investigation can take months to determine what, if anything, was actually exposed, counsel will not be able to meet these tight deadlines without significant planning upfront. (See “The Data Breach Response: Who Will You Tell?”) Notification is also not the only hurdle. There is a whole plethora of liabilities to be addressed for both the company and its directors and officers, especially once the post-breach lawsuits pile on. (See “Data Breaches Can Paint a Bullseye on Their Backs – Companies need to focus on mitigating liability for their directors and officers.”) Unless counsel is up to speed on all these issues and has a response plan in place before trouble hits, they are likely to not survive the ordeal. Last year alone saw multiple general counsel stepping down in the wake of data breaches.
But all is not lost. Counsel who assert their role as the steward of corporate data can ensure that their company’s most important business assets remain secure and that its risks – legal and otherwise – are kept to a minimum. For insight on proactive steps to take to help you tackle that data mountain, see the article “Four Things Lawyers Can Do to Improve Cyber-Risk Programs: You need to think of yourself as both a steward and a shepherd.” Just don’t forget to bring your climbing gear.
David White is a director at AlixPartners LLP, where he advises clients on information governance, information security and electronic discovery. He can be reached at [email protected].
Published January 13, 2018.