In-house Lawyers and Corporate IT Can Collaborate to Prevent Internal Data Breaches
Inside counsel must ensure that sensitive data and documents are not transmitted outside the company unless authorized; the IT department can help.
January 10, 2018 at 05:11 PM
6 minute read
The original version of this story was published on Law.com
To protect their employers from risk and liability, in-house attorneys must worry about data security breaches originating from outside the company. Yet, internal security exposures and data leaks caused by the organization's own employees can put the company at risk for lawsuits, financial penalties, compliance violations and PR disasters. Inside counsel must ensure that sensitive data and documents are not transmitted outside the company unless authorized.
Inadvertent human error or intentional data leaks can lead to harmful security breaches, especially if sensitive data is sent to unauthorized recipients. At best, these incidents are embarrassing, but at worst they can lead to loss of privilege, liability for malpractice claims, and penalties for non-compliance with government regulations. Myriad regulations like HIPAA, Sarbanes-Oxley, SEC Regulations and the upcoming GDPR (enforceable as of May 2018) create a formidable gauntlet of compliance requirements for today's businesses.
To properly shield the legal department and the overall company from harm, in-house counsel must develop strong lines of communication with IT to ensure proper processes and tools are in place to prevent internal security breaches. Collaborating with IT, in-house counsel can devise strategies for mitigating data breach risks which can include adjusting workflow design and leveraging available technology tools.
A typical corporate workday is comprised of thousands, if not millions, of events where both paper and electronic documents are handled, duplicated, sent and received. This includes scanning, faxing, printing and copying. Each of these events can represent a risk for a data security breach. To mitigate risk, the main priority should be to ensure these actions are as trackable and auditable as possible at the company.
Paper documents are one of the most risky data sources of all because they are not inherently trackable or auditable. Someone can easily walk off with paper documents without anyone else knowing, and paper can be destroyed, misfiled, lost or damaged. Paper files lying on a desk or thrown into the trash are vulnerable—anyone walking by has access to their contents. Therefore, it is essential for all paper content to be scanned and made searchable through Optical Character Recognition (OCR) software. The original paper can then be archived or shredded and discarded according to company policies and/or compliance requirements. Two main ways exist to convert paper documents into digital ones: scanning and faxing.
Scanning and faxing provide built-in opportunities to examine document contents before final delivery. Typically when employees scan or fax documents, they decide where to route the electronic files—to an email address, fax machine or e-fax number, document management system, folder or another destination. However, new technology tools can intercept these documents and OCR, search and automatically check for keywords like “confidential” or “private,” or credit card/social security numbers. Any documents containing these elements can be red-flagged or quarantined by a designated auditor, pending further investigation.
Larger organizations often have dedicated risk management or compliance personnel whose main focus is to keep track of sensitive information like this, and in-house lawyers should stay apprised of their actions. Smaller companies may need to assign an IT, support staff person or outside consultant to audit and watch for red flags occurring with scanning and faxing. What constitutes sensitive information will vary according to industry.
Printing and copying are trickier because they are both more immediate than scanning and faxing. When employees print or copy a document, they expect to receive the output (print-out or copy) right away. In the most security-conscious and locked-down work environments, copy/print requests can be frozen or “quarantined” and held back until the auditor analyzes and releases them. The person waiting for the print or copy job receives a status notification when the documents are released, or not. In more permissive settings, the copy/print action can be allowed to proceed without delay, but if any sensitive content is detected, the auditor can follow up later to ensure that no security breach occurred.
It's imperative that inside counsel and IT collaborate to evaluate what technology and workflow solutions are already in place to manage sensitive data, and to determine whether additional data loss detection or prevention strategies should be implemented. With data loss detection, the content will reach its destination without being quarantined but the content will be flagged for auditors' review after-the-fact. Data loss prevention is more intense—content is actually stopped from reaching its intended destination until the auditor has reviewed the content. The company's balance of data loss detection and prevention should be calibrated to protect the organization sufficiently while still allowing for workflow to continue expeditiously.
Training will be required to implement protective systems properly. IT must be trained on how to set up the infrastructure, with in-house legal serving as advisers/coaches during the process. As end-users of the system, in-house lawyers will require training, too, and they are in a good position to advise IT on how to set keywords, variables, and instruct IT about the content that must be monitored. Content to be monitored may include trade secrets, secure conversations, legal client communications, government documents, medical/health and other personal identifying information and intellectual property, to name a few. Jointly advised by inside counsel and IT, compliance and HR can create policies, set standards and manage people's expectations so employees realize there may be a delay in transmission or output delivery to guard against data security concerns.
By taking proactive steps to team up with IT, risk management and HR, in-house counsel can greatly reduce the chance of internal security breaches damaging their corporations. Simply putting a risk management system in place, whether it involves technology, workflow or both, is a step in the right direction. These systems bring attention to pitfalls so employees can avoid falling into them, and create rigor and vigilance to discourage would-be data leakers from proceeding with any nefarious plans. By taking internal data security risks seriously and addressing them proactively, inside counsel can serve their employing organization with effectiveness and success.
Karen Cummings is the General Manager of Upland AccuRoute, where she drives growth and strengthens the ability to deliver comprehensive document capture, fax, and workflow products. With years of experience with enterprise software, Karen leads AccuRoute's strategic direction and expands its market position worldwide and across a breadth of vertical industries, most notably the financial services and legal markets. Previously, Karen was EVP of sales and marketing at Omtool (now Upland Software) after launching Spinnaker Consulting Group.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute read'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute readPre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute read'Everything From A to Z': University GCs Tested by Legal, Financial, Societal Challenges
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250