Corporate legal dept. finds role shifting amid cybersecurity, privacy concerns
February 2, 2016
That “giant sucking sound” that can be heard is the tangled monster of data security and privacy issues pulling “all lawyers with expertise” into its grip, Juliet M. Hanna, associate general counsel at Fannie Mae, told attendees of the LegalTech conference in New York Tuesday.
Hanna, like others on the panel, are grappling with the changing role of corporate legal departments as they assume a greater role in security and privacy.
No longer the responsibility of IT, cybersecurity has spurred lawyers into action to protect information whether it's intellectual property, confidential data or that needed to fulfill discovery. “There's plenty of work for the legal department,” said Hanna.
Of particular concern are third parties—other law firms, clients, vendors and the like—which can be points of vulnerability that can leave data exposed or open to attack.
“From an inhouse perspective you're going to own that one,” said John Davis, executive director and counsel global ediscovery at UBS. “If you are responsible for vendor relations then you have to make sure they follow your rules.”
For example, it's “not good enough for a small law firm to treat our data the same way it treats its clients data,” Davis said, who advocates for getting the right industry and corporate standards in place and soliciting “IT to do the inspections and looking at results of the testing that we insist third parties go through.”
Organizations must ensure the same protections for data that it sends offsite for storage. “It's fairly universal that organizations are not necessarily hosting all data on site,” said Hanna. “It's a very large concern—that data is technically out of your control.” Organizations can dial those concerns down a notch by assessing third parties and the risk they pose to the data they host before turning that information over to them.