To protect their employers from risk and liability, in-house attorneys must worry about data security breaches originating from outside the company. Yet, internal security exposures and data leaks caused by the organization's own employees can put the company at risk for lawsuits, financial penalties, compliance violations and PR disasters. Inside counsel must ensure that sensitive data and documents are not transmitted outside the company unless authorized.

Inadvertent human error or intentional data leaks can lead to harmful security breaches, especially if sensitive data is sent to unauthorized recipients. At best, these incidents are embarrassing, but at worst they can lead to loss of privilege, liability for malpractice claims, and penalties for non-compliance with government regulations. Myriad regulations like HIPAA, Sarbanes-Oxley, SEC Regulations and the upcoming GDPR (enforceable as of May 2018) create a formidable gauntlet of compliance requirements for today's businesses.

To properly shield the legal department and the overall company from harm, in-house counsel must develop strong lines of communication with IT to ensure proper processes and tools are in place to prevent internal security breaches. Collaborating with IT, in-house counsel can devise strategies for mitigating data breach risks which can include adjusting workflow design and leveraging available technology tools.
A typical corporate workday is comprised of thousands, if not millions, of events where both paper and electronic documents are handled, duplicated, sent and received. This includes scanning, faxing, printing and copying. Each of these events can represent a risk for a data security breach. To mitigate risk, the main priority should be to ensure these actions are as trackable and auditable as possible at the company.

Paper documents are one of the most risky data sources of all because they are not inherently trackable or auditable. Someone can easily walk off with paper documents without anyone else knowing, and paper can be destroyed, misfiled, lost or damaged. Paper files lying on a desk or thrown into the trash are vulnerable—anyone walking by has access to their contents. Therefore, it is essential for all paper content to be scanned and made searchable through Optical Character Recognition (OCR) software. The original paper can then be archived or shredded and discarded according to company policies and/or compliance requirements. Two main ways exist to convert paper documents into digital ones: scanning and faxing.

Scanning and faxing provide built-in opportunities to examine document contents before final delivery. Typically when employees scan or fax documents, they decide where to route the electronic files—to an email address, fax machine or e-fax number, document management system, folder or another destination. However, new technology tools can intercept these documents and OCR, search and automatically check for keywords like “confidential” or “private,” or credit card/social security numbers. Any documents containing these elements can be red-flagged or quarantined by a designated auditor, pending further investigation.

Larger organizations often have dedicated risk management or compliance personnel whose main focus is to keep track of sensitive information like this, and in-house lawyers should stay apprised of their actions. Smaller companies may need to assign an IT, support staff person or outside consultant to audit and watch for red flags occurring with scanning and faxing. What constitutes sensitive information will vary according to industry.

Printing and copying are trickier because they are both more immediate than scanning and faxing. When employees print or copy a document, they expect to receive the output (print-out or copy) right away. In the most security-conscious and locked-down work environments, copy/print requests can be frozen or “quarantined” and held back until the auditor analyzes and releases them. The person waiting for the print or copy job receives a status notification when the documents are released, or not. In more permissive settings, the copy/print action can be allowed to proceed without delay, but if any sensitive content is detected, the auditor can follow up later to ensure that no security breach occurred.

It's imperative that inside counsel and IT collaborate to evaluate what technology and workflow solutions are already in place to manage sensitive data, and to determine whether additional data loss detection or prevention strategies should be implemented. With data loss detection, the content will reach its destination without being quarantined but the content will be flagged for auditors' review after-the-fact. Data loss prevention is more intense—content is actually stopped from reaching its intended destination until the auditor has reviewed the content. The company's balance of data loss detection and prevention should be calibrated to protect the organization sufficiently while still allowing for workflow to continue expeditiously.

Training will be required to implement protective systems properly. IT must be trained on how to set up the infrastructure, with in-house legal serving as advisers/coaches during the process. As end-users of the system, in-house lawyers will require training, too, and they are in a good position to advise IT on how to set keywords, variables, and instruct IT about the content that must be monitored. Content to be monitored may include trade secrets, secure conversations, legal client communications, government documents, medical/health and other personal identifying information and intellectual property, to name a few. Jointly advised by inside counsel and IT, compliance and HR can create policies, set standards and manage people's expectations so employees realize there may be a delay in transmission or output delivery to guard against data security concerns.

By taking proactive steps to team up with IT, risk management and HR, in-house counsel can greatly reduce the chance of internal security breaches damaging their corporations. Simply putting a risk management system in place, whether it involves technology, workflow or both, is a step in the right direction. These systems bring attention to pitfalls so employees can avoid falling into them, and create rigor and vigilance to discourage would-be data leakers from proceeding with any nefarious plans. By taking internal data security risks seriously and addressing them proactively, inside counsel can serve their employing organization with effectiveness and success.

Karen Cummings is the General Manager of Upland AccuRoute, where she drives growth and strengthens the ability to deliver comprehensive document capture, fax, and workflow products. With years of experience with enterprise software, Karen leads AccuRoute's strategic direction and expands its market position worldwide and across a breadth of vertical industries, most notably the financial services and legal markets. Previously, Karen was EVP of sales and marketing at Omtool (now Upland Software) after launching Spinnaker Consulting Group.