That “giant sucking sound” that can be heard is the tangled monster of data security and privacy issues pulling “all lawyers with expertise” into its grip, Juliet M. Hanna, associate general counsel at Fannie Mae, told attendees of the LegalTech conference in New York Tuesday.
Hanna, like others on the panel, are grappling with the changing role of corporate legal departments as they assume a greater role in security and privacy.
No longer the responsibility of IT, cybersecurity has spurred lawyers into action to protect information whether it's intellectual property, confidential data or that needed to fulfill discovery. “There's plenty of work for the legal department,” said Hanna.
Of particular concern are third parties—other law firms, clients, vendors and the like—which can be points of vulnerability that can leave data exposed or open to attack.
“From an inhouse perspective you're going to own that one,” said John Davis, executive director and counsel global ediscovery at UBS. “If you are responsible for vendor relations then you have to make sure they follow your rules.”
For example, it's “not good enough for a small law firm to treat our data the same way it treats its clients data,” Davis said, who advocates for getting the right industry and corporate standards in place and soliciting “IT to do the inspections and looking at results of the testing that we insist third parties go through.”
Organizations must ensure the same protections for data that it sends offsite for storage. “It's fairly universal that organizations are not necessarily hosting all data on site,” said Hanna. “It's a very large concern—that data is technically out of your control.” Organizations can dial those concerns down a notch by assessing third parties and the risk they pose to the data they host before turning that information over to them.
The high level of connectivity among organizations further complicates the security landscape. “Everything is tied into each other” as a result of the inherent data flow and the Internet, said Joseph DeMarco, a partner at DeVore & DeMarco LLP. “It's a given that data is leaking out and malware is leaking in.”
DeMarco noted that “any organization out there that has data” and which ends up having a security issue “is going to have a legal issue on its hands.”
And they will pay the piper in the courts. He pointed to the bevy of state laws and other regulations and legislation that organizations must follow.
“It's a mess,” he said, explaining that the U.S.'s cybersecurity regulation grew up much like it's power grid, “knitting together” local assemblages. “It can seem overwhelming. You do have a patchwork unlike other countries which have an over-arching law.”
Because data security incidents are often played out in the courts and not before MIT technologists, DeMarco reiterated that it's important that responsibility for cybersecurity doesn't lie with IT. “Technologists should be supervised by lawyers,” he explained. “And if technologists haven't been working under privilege, good luck in not turning that stuff over” during discovery.