Inside: Law department leadership, growing the IT relationship and data risk management as 2014 priorities
The CIO-GC relationship is becoming increasingly symbiotic, particularly within the context of a crisis, such as a data breach or network intrusion.
January 13, 2014 at 03:00 AM
8 minute read
The original version of this story was published on Law.com
Today's general counsel must understand emerging technology and be conversant with the company's chief information officer (CIO) as well as all internal IT business partners. The CIO-GC relationship is becoming increasingly symbiotic, particularly within the context of a crisis, such as a data breach or network intrusion, not unlike the events in 2013 that plagued Target, the Federal Reserve, Living Social, Snapchat, Evernote, The Washington Post and Drupal, to name a few.
Crises and doomsday scenarios are not the only reasons for establishing these relationships, however. As companies develop tech-centric policies and procedures, GCs become the best resource for predicting the legal implications, not only of those policies but also the technology itself.
Why it is important to establish relationships with the IT department
In order to effectively develop the IT relationship, in-house lawyers must understand and embrace their company's technological platform and processes. The reality is that GCs and law department leaders are quickly coming to the realization that all roads lead to the CIO.
The rise or fall of departmental efficiencies, data analytics, cost controls, and trending analysis are inextricably linked to the IT team's provision of technology resources, education, software development, vendor due diligence, software implementation and a host of other services to their legal departments. The consequences of a poor software purchase or implementation lead to a lack of coordination, failure to execute, mutual recrimination and blame, all of which require a significant investment of time and capital to resolve.
Vendors and inter-departmental cooperation
The selection and implementation of the right vendor for technology tools to be utilized in the law department requires a disciplined RFP process, a dedicated team to conduct due diligence, expert legal and technological knowledge to negotiate the agreement and the IT resources required to ensure the promised implementation and product performance. Critical to vendor due diligence is to determine the cost, reputation for service, efficiency, technology, and security, amongst others factors.
(For a good discussion of managing risk in third-party vendor engagements, see this.)
Additionally, a strong internal contract negotiation team is required to investigate, draft RFPs, make selections, conduct additional due diligence, and negotiate a software-centric agreement. Relying on the vendor for the implementation can yield disastrous results. This process necessarily contemplates significant legal and IT resources that are dedicated to project management.
For most legal department leaders, a lack of resources and time make it impractical or impossible to dedicate the requisite number of in-house lawyers to such a high-stakes endeavor. In many organizations, there simply isn't time to lead these large projects or devote overworked in-house legal staff that may be inexperienced in these emerging practice areas. However, a strong relationship between IT and legal can ensure efficiency and thoroughness in vendor selection and alleviate a process that is otherwise maligned by departmental isolation.
One potential solution is for legal departments to designate members of the team as temporary liaisons to the IT department for the duration of such projects. Or, the legal department could request that the IT department place a representative in the legal department for the lifecycle of the deal.
“Embedding” department representatives serves two important goals. First, it increases communication quality and frequency between departments and educates the lawyers on the challenges faced by the IT staff as it implements critical corporate strategies. As a result, the legal department achieves greater success and understanding the dependencies that exist in a given technology initiative.
Intangible by-products of this symbiotic relationship are inter-departmental goodwill and appreciation. Additionally, both the GC and CIO are better equipped to anticipate needs and competing interests for these resources.
Strong interdepartmental relationships yield valuable returns when addressing governance, privacy and information security. A lack of communication between departments often results in overlooked or misunderstood risks in data management and security or a disjointed response to crisis events.
Good relationships with IT translate into data risk management
The context for good relationships in the IT department may be straightforward for legal departments in technology companies, health care companies, or financial institutions, but the how can nurturing these relationships on a day-to-day basis mitigate potential data management and security risks for everyone else? There are five key components for cultivating positive working relationships with the IT department to yield comprehensive risk management.
1. Establishing communication channels. GCs need to create continuous, substantive lines of communication with the CIO and IT departments. Ideally, GCs should make it a priority to attend a team meeting in the IT department at least once a month. Unfortunately, it is a common misconception among most in-house counsel that normative communication gaps exist between legal and IT, but GCs must take the lead on establishing a consistent flow of communication. Often, in-house counsel are frustrated by technical IT “speak” while the IT staff has difficulty understanding that lawyers must work through complex corporate legal issues. Effective communication strategies are established by first creating a mutual understanding of how each department functions and the challenges that face them respectively.
2. Understanding IT governance's impact and risk. When in-house lawyers understand how IT manages risk, creates its budget and determines its own departmental values, the relevancy to the legal department is also realized. For example, the implementation of new software that is fundamentally flawed from a security perspective, a failure to invest in technology, or losing talented employees with IT expertise can have profoundly negative impacts on the company as a whole. The legal team cannot identify and manage significant risks without understanding the resources, challenges and demands placed on the IT department. While a GC may not be able to provide an immediate solution, he or she will need to manage – and prepare for – the long-term impact. GCs should identify potential issues well in advance and engender goodwill by partnering with and advocating for other departments within the company, creating an expected partnership for risk mitigation across the organization.
3. Understanding where data resides. In-house lawyers must understand where the organization's data is stored. Creating a comprehensive data map requires interdepartmental cooperation, and requires both project management and research, rather than purely technical exercises. While hiring a consultant to get the teams talking or working together is a positive step, the departments can also invest on the front-end by building positive relationships themselves.
4. Adopting privacy and security controls. Once the GC understands where data resides, the legal department can work with the IT group to select the appropriate controls framework, and to establish appropriate privacy and security controls. This process involves a top-down review of all data repositories and a full understanding of existing controls, as well as what, if any new controls, are required to comply with existing or future privacy or security laws. For legal, this process will require a thorough understanding of the legal and regulatory requirements, the privacy and security controls framework, the operation of such controls in the current environment, and the parties responsible for implementing the controls. The IT team is a crucial part of this process since the privacy and security controls are authored and applied by IT personnel. Additionally, it will be incumbent upon the IT team to adequately explain the limits or application of the controls framework to the existing IT systems.
5. Leveraging the IT relationship to establish an information governance program. The end game is creating an enterprise-wide data governance program and the most compelling advocates for the creation of this program are the legal department and the IT department. The intentional cultivation of this relationship can ultimately lead to a unified, cogent and thoughtful explanation of the necessity for a comprehensive data governance program. In a best-case scenario, both the GC and CIO can come to the table with concrete examples of how to mitigate data risk, having carefully considered all of the various ways in which good data governance can positively impact the organization and reduce exposure. Establishing the appropriate buy-in, crafting a budget to initiate a program and successfully implementing the program will be exponentially easier with a partner. One voice in the boardroom can be lost, but two voices can win the argument.
We will explore the creation of a data governance program in the next column.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFatal Shooting of CEO Sets Off Scramble to Reassess Executive Security
5 minute readBen & Jerry’s Accuses Corporate Parent of ‘Silencing’ Support for Palestinian Rights
3 minute readShareholder Activists Poised to Pounce in 2025. Is Your Board Ready?
Regulatory Upheaval Is Coming. How Businesses Prepare and Respond Will Separate Winners and Losers
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250