If you work as part of an in-house legal department for a professional organisation, then your remit for protection is likely to be vast. Depending on the size and sector of the business, the legal work required will range from employment and contract negotiations, to commercial and marketing work. With so much compliance required to secure and safeguard companies against legal action, it is unsurprising that some protective measures fall through the cracks.
Somewhat inevitably, it is mostly digital security that is ignored, or at least misunderstood. In many cases, we have come across in-house lawyers who view digital protection as the domain of the IT department, having little understanding of how the company operates online, or the potential liabilities this can cause. For an industry that is so regimented by compliance, we find this an incredibly odd, and dangerous, practice.
As the legal representatives, you must be analysing every facet of the business, and asking what processes are in place to protect its interests. One valuable company resource that is so often taken for granted is data. A broad term in many ways, data can include confidential information about the company and the ways it is managed, as well as intimate client details that could be exploited in the wrong hands. Frequently individuals and department heads feel their data is secure as it is inside the ‘Document Management System’ and can’t be modified by individuals outside of a team, but this is not true and often systems are breached by poor password management or system administrators having access when they should not.
A legislative change that is likely to bring digital security to the forefront is the imminent General Data Protection Regulation (GDPR), which the UK’s Information Commissionaire has confirmed will be broadened due to Brexit. These are a more robust set of rules that will replace the Data Protection Act and provide much stricter punishment for a data leak or system breach. Adequate protection of data will become mandatory, and enforced with a potential fine of 4% of your annual global turnover, or €20 million depending on which is greater.
Understanding that the risk is real, and that it is the responsibility of the legal department to ensure compliance, is the first step. The next is to start asking questions. What security do you currently have in place? Who has access to your internal documents? Are they at a sufficient level to see the data they are accessing?
One of the biggest concerns for businesses over the past 12 months has been the rise of the insider threat. Put simply, this is internal sabotage, either through malicious intent, or negligence, by members of your own team. One of the things you need to therefore consider is who controls your IT, especially if you outsource any part of it, or place data in cloud based services with no encryption or other control measures.
The baseline technology to start with is a strong encryption platform that can handle all your encryption needs whether the data is within your network or hosted elsewhere. By bringing your own encryption to any data store means you have control of who can view or share the data and thus giving you protection against data loss. This should be the bare minimum that is expected in terms of digital security for an organisation that shares or stores data. There is a wealth of software and protocols that can be implemented to further guard against potential breaches, and subsequently fines when it comes to GDPR.
Data security is not a one off task, it requires constant review and monitoring as the threat landscape changes, and it falls on each data owner to consider how sensitive is the data and thus to what level it should be protected.