Digital transformation has come for all organizations; it doesn’t discern between industries, and it doesn’t care if your organization is a fledgling startup or an established multinational corporation. Emerging technologies such as virtual reality and artificial intelligence present unique business needs and challenges. One of the most demanding is the requirements on companies and governments to protect user data and privacy in an ever-changing technological environment.
A 2020 global survey found that two-thirds are more concerned with online privacy than ever, and over 80% believe that their personal information is vulnerable to hackers. These concerns have caught the attention of state legislatures around the country. Many states are passing laws governing how corporations collect and use the customer information gathered in connection with the offering of goods and services on the internet. From state to state, the laws have meaningful variations and inconsistencies, creating a patchwork of regulations that can be challenging for corporations to navigate.
In response, companies must develop programs to bulk up security and controls related to maintaining the privacy of customer information, and in-house legal teams must prioritize addressing the challenges that the inconsistent regular landscape creates. Companies are proactively establishing data privacy programs, and general counsels (GCs) and legal leaders are playing a prominent role. Legal teams are critical inputs in the battle to protect data and ensure companies can respond to regulatory changes. Legal professionals must drive successful cybersecurity initiatives and help provide peace of mind to customers regarding the company’s protection of customer data and privacy. For GCs and in-house legal teams operationalizing data privacy efforts, there are four essential best practices to follow.
Step one is to understand what kind of data you collect and categorize it by sensitivity and severity levels in the event of a data breach. Knowing what information is in the company’s possession allows the legal team to understand the scope of risk in case of a breach or a data leak. This also will help the company understand how any laws and regulations regarding data storage and breach notification may impact the company’s responsibilities.
For example, companies that collect contact information, such as a user handle and an email address, face a different risk profile from those collecting Social Security numbers and banking information (think of the difference between the local newspaper that makes you create an account using your email address to read an article versus the online portal you use to submit documentation in connection with obtaining a mortgage). The risk profile and the regulatory responsibilities differ depending on the jurisdiction in which the customer/user is located, the type of information collected, and the way the company uses that information.
Once the legal team has a clear understanding of the scope and methods of collection of user data collected by the company, the legal team can plan the appropriate to protect against, and if necessary, respond to, any breach or leak of that user data.
The next step is identifying other leaders within the organization who can help execute the vision for building/enhancing your data privacy program. An excellent place to start is with the IT team and software engineers, as these teammates are absolutely necessary (and really, the true heroes) to any successful data privacy initiatives. Work together to establish response protocols for various scenarios, including protection against outside hackers, internal leaks, inadvertent disclosure, etc.
Outline potential security scenarios and determine whether your organization is vulnerable, both from an infrastructure level and from a platform level. What are the employee touchpoints with your systems? Who has access to data? What controls do you have in place for the tracking and use of sensitive information? What are any other areas of technical risk?
Once the core team is in place, appropriate lines of accountability for the deployment and success of your privacy and security program must be established. Compliance issues and data breaches are inevitable, but setting clear accountability will provide a driver who will direct and facilitate a swift, appropriate response to limit the scope and scale of any breach and remediate any issues resulting from the breach. Once a leader is identified, the team should understand any gaps between what precautions and controls are currently in place regarding data security and what those precautions and controls should look like as the program reaches maturity. From there, the team should meet regularly to assess the progress of privacy initiatives and identify new opportunities for improvement.
Finally, it goes without saying that the privacy program should continue to be a priority for the organization. The senior leadership in the organization should be regularly reminded of the program’s progress, and the key executives should consistently reiterate the importance of prioritizing the continued development and maturation of any privacy program. Conduct regular tabletop exercises several times a year using real-life scenarios to measure the company’s readiness and provide the response team with the opportunity to evaluate what worked well and what can/should be improved. These should feel like a fire drill, run with little to no notice. Simulating a real-world incident to the maximum extent of safety possible will expose any weaknesses in processes, controls, staffing execution and expertise.
Remember: Data privacy programs are ongoing efforts. Taking a set-and-forget approach will expose the company on many levels, from incurring regulatory fines to irreparably damaging the company’s relationship with customers.
When it comes to managing a data breach, it’s similar to most other problems you’ll face as an in-house attorney. Rarely is it the first mistake that kills you; it’s the tenth. Not only will incidents happen, but some organizations may not realize a breach is occurring until the violation has already occurred. Knowing how to respond at each point in the incident to direct a positive outcome is just as crucial as taking appropriate precautions to prevent an incident from occurring in the first place.
For the lawyers out there, always be aware of your contractual obligations in the event of a data breach. What constitutes a “data breach”? What are the company’s notice requirements to vendors and customers? Managing your executed contracts in an organized and easily searchable way is critical to your speed in response, and cutting-edge post-signature solutions may just be the difference between facing a lawsuit and maintaining a positive customer/vendor relationship.
The regulatory environment will continue to change, and the agreements with the company’s customers and vendors will reflect those changes over time. Be prepared for the data breach, know your contractual obligations, and focus on proactively managing your relationships with critical customers and suppliers. Data breaches will inevitably happen at some level or the next, and successful responses and remediations will be greatly advanced by maintaining a healthy relationship with those most likely to be affected by a data breach. The bottom line when establishing a data privacy program is: to contain, remediate, focus on relationships, and understand your legal obligations to your customers.
This article was originally published on law.com.