Data protection is a growing issue for organisations across the public and private sectors. Philip Hoult reports on a joint Legal Week/Computing seminar on this complex subject

Earlier this month HSBC admitted that it had lost a computer disc holding information on 370,000 life insurance customers. The banking group, which faces a potential investigation by the Financial Services Authority (FSA) as a result, was just the latest in a growing list of private and public sector organisations to have lost personal data.

The most high profile case so far involved HM Revenue & Customs, which lost discs containing the country's entire child benefit database. These covered some 25 million claimants and included bank and building society details.

Other organisations to have fallen foul recently include financial institutions, retailers, government departments and even the Royal Navy. In the last 18 months, the FSA has slapped huge fines on both Norwich Union and the Nationwide Building Society for data losses.

These incidents help to explain how data protection has shot up the agenda for in-house lawyers and their IT colleagues. In recognition, Legal Week and sister publication Computing last month held a web seminar in association with Guidance software entitled: 'Do you know where your data is?'

"Companies are increasingly realising that they are being exposed to a higher level of regulatory, legal and market risks from data being spread across all the organisation," said Computing editor Bryan Glick.

These risks have been compounded as businesses move to operating on a genuinely worldwide basis. "Businesses want the information faster, they want to send it around the globe, they want to send it to their trading partners… they also will be receiving data from their trading partners or other stakeholders in their organisation," said panellist Alessandro Moretti, executive director in IT security risk management at UBS. "Information is growing in volume and, in terms of speed, is being distributed around the organisation at a very fast rate."

But with brands and reputations at stake, not to mention the costs arising from breaches of laws or incidents of insider fraud, how can organisations – and their legal and IT teams – ensure they are on top of data protection?

Panellists identified a number of key steps organisations should take. They need to understand the data, identify the risks, take a strategic view, develop appropriate policies, create a culture of compliance, establish audit trails and system checks, and be ready for litigation or regulatory enforcement.

For this to happen, legal and IT teams should work closely together and foster mutual understanding. Unfortunately, this relationship does not always work as well as it could – one in five seminar participants admitted there are very few links between the departments, and in some cases no communication at all.

Management consultant Paul Gilbert of LBC Wise Counsel suggested that the legal department is often seen as "the poor relation". For example, if it wants a case management system, it will be low down the pecking order. "When we want to talk to IT about strategic issues affecting the whole business, which should be on everybody's agenda, they do not get the bandwidth they should due to the imbalance in the relationship," he said.

UBS's Moretti described the relationship between IT and legal as a two-way process. "[Legal has] to understand the data that is in use in the organisation," he said. "They have to set policies that can be interpreted by the IT people to implement IT controls and IT standards in terms of managing that data."

IT departments in turn need to communicate back to the legal team and explain the types of data that are in use, and explain the process that data is being used for. This will enable lawyers to provide the right guidance and to approve the security controls necessary to avoid data being leaked or compromised.

Identifying risks is the easy part – managing them is the most important and difficult task, Gilbert said. With most legal teams modest in terms of size and resource and "operationally stacked out with activity", this is challenging. "What we do not see often enough of is lawyers making the time to look at the risk environment," he added. "[They need] to look at unmet legal need and to manage risk more imaginatively, rather than waiting for the crisis to arise and fire-fighting."

Half the lawyers participating in the seminar admitted that they 'could and should do a lot better' when it comes proactively managing the risks associated with data loss.

A more strategic view, combined with an understanding of the data, should allow in-house lawyers and their IT colleagues to draw up appropriate policies and processes.

But the panellists warned that it is one thing to have policies and another to ensure employees understand them. Indeed, when asked what the biggest challenge in managing data protection plans is, 39% of IT managers participating in the seminar said: "The problem is neither legal nor IT – it is the end users".

Moretti said the key to educating end users is "bringing it home". When he conducts training, one of the scenarios he uses is identity theft – something of great concern to individuals. After asking employees what they do to protect themselves, he directs the discussions to data security in a corporate environment. "That is a way you can start changing the culture," he said. "It generally works quite well."

Clearly, a training programme is key to ensuring that employees are aware of data protection obligations, but Gilbert warned against relying wholly on that. "A company that thinks that, by doing training, they have sorted their issues, is really misleading itself," he claimed. "It is one thing to put a tick in the box [for auditors regulators], but another to make that work in the context of your people."

Cultural change happens, Gilbert said, when the board, chief executive, management and staff buy into the need to do something. "That cannot be just asserted – you have to make it relevant for people," he added. "Training is a good way of doing it, but it is not the only way. There needs to be meaningful consequences for success and failure."

With buy-in, you might make headway in terms of creating a culture of compliance. But how can you be sure? How do you know if potential breaches will come to the attention of the legal department? And how do you know if the IT controls work effectively?

Panellists emphasised the need to test the system, in the way that you would a plumbing system to see where the leaks are. Laurence Pender, enterprise business manager at Guidance Software, said this is where the IT team can support in-house lawyers by applying techniques that provide validation and visibility of what is really happening within a business.

"Techniques exist that allow us to take a much more surgical approach to the identification and, if required, collection of data across the enterprise," he added.

By taking these steps, organisations can ward off potential litigation or regulatory enforcement. But it will also help them be prepared when this becomes a reality.

Mark Surguy, senior dispute resolution associate at Pinsent Masons, questioned how many organisations understand the depth and breadth of powers available to the likes of the Health and Safety Executive or the Office of Fair Trading in the UK, or, for those with interests in the US, the reach of the Sarbanes-Oxley legislation and the Foreign Corrupt Practices Act. "This is a matter that cannot really be left until the regulator comes knocking on the door," he added.

The danger in litigation support management, one seminar participant suggested, is that lawyers know what they want and IT management know what IT can do; a gap that can be difficult to close.

"There has to be communication and the lawyers may know what they want, but it is a question of what they can have that is reasonable and proportional in the context of litigation," said Surguy. "Lawyers often say they do not understand IT people and the language they use – I am sure the IT people say exactly the same. It is this language barrier that we need to cross."

Data protection is a challenging issue, and alien to many in-house lawyers. But if they can establish a good relationship with their IT colleagues, they will go a long way to meeting their responsibility to tackle it.

Testing opinion – seminar polls

Q1 (to all participants): How well do your legal and IT teams work together to manage your data protection management and discovery strategy?

51% said: "average – teams work together as and when needed"

16% said: "above average – processes are in place and they are well documented"

11% said: "very well – there are good established lines of communication and a clear plan for how teams work together"

11% said: "below average – there are very few links between the departments"

7% said: "poor – there are no processes and poor communication"

3% said: "the IT and legal teams never talk to each other"

Q2 (to IT people): What do IT people consider to be the biggest challenge in managing their organisation's data protection plans?

39% said: "the problem is neither legal nor IT; it is the end users – trying to educate them and make sure they have the necessary awareness of how they need to protect the data they are using to do their jobs"

24% said: "a lack of understanding within the IT department about legal issues and legal concerns"

23% said: "the organisation has a lack of control over data use"

7% said :"it is considered to be at too high a cost"

4% said: "it is something else entirely"

3% said: "information is not easily located when it is needed. If you need to refer information to your legal teams or for data protection issues, it can be a struggle"

Q3 (to lawyers): To what extent do in-house legal teams proactively manage the risks associated with data loss?

8% said: "to a great extent"

35% said: "to some extent"

50% said: "we could and should do a lot better"

7% said: "it is not our concern"