Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

May 2019
No surprise what their biggest concerns are: data breaches and data privacy.
In April, the giant accounting consultancy BDO released a survey of in-house lawyers called Inside E-Discovery and Beyond: Navigating Legal Digital Disruption. Much of the report focused on cybersecurity and data privacy. But it also examined the influence that e-discovery has had on these fields, and ultimately on information governance itself.
     Karen Schuler, national data and information governance practice leader, and Gregory Garrett, head of the company’s U.S. and international cybersecurity, took a few minutes to talk to us about the survey’s results. Two of the topics they delved into were the importance of investing more resources in this area, and the ways that large companies have made effective use of e-discovery tools to assist them in tackling privacy and cybersecurity. 

CyberInsecurity News: What are the most important takeaways from your survey about cybersecurity and data privacy for in-house lawyers?
Karen Schuler: Among corporate counsel, we found that data breaches and data privacy are the two biggest concerns; a third is Big Data. Encryption is one of the top concerns as well. Companies that responded to the survey are voicing the fact that they are making greater investments in data governance and information governance to help them navigate these challenges. And information management has come to be one of the top concerns. Five years ago, when we first started this survey, information management was brushed off with “we’ve got that under control.” Today we’re seeing a much bigger challenge. And part of the reason is, with the EU’s General Data Protection Regulation [GDPR] last year and now the California Consumer Privacy Act, and with Brazil and Canada and many states in the U.S. bringing forth their own privacy laws, information management is going to be one of the biggest challenges. To this day, companies still do not know where to find their information, which presents greater information and records management challenges. They don’t even know where personal data is stored sometimes, and they don’t know who they’ve shared it with or who they’ve sold it to, which is a big concern for consumers.

CIN: We noted that 59 percent of the respondents are taking action to develop an internal governance council or leadership team—with another 34 percent considering similar action. What do you make of these developments?
KS: I just left a client, and being their data protection officer, I actually sit with their governance committee and governance board and have to attend those meetings. And I will tell you that two years ago, they did not have such a structure. This is a large organization, global in nature, and finally we are seeing that the regulations are helping everyone to get the budget and the ability to move initiatives forward as they weren’t able to do before. GDPR did help a lot of these legal teams, technical teams, cybersecurity teams move information governance initiatives forward that were traditionally an e-discovery initiative. Now they’ve become corporatewide initiatives. I will tell you that this particular company will take things all the way up to the board to make decisions. If they have a governance committee and a governance board, they want to ensure that the board and the executives are actually aware of what is being said in those meetings. And they want to let them make decisions and weigh in.
Gregory Garrett: We’ve seen this taken increasingly seriously each year over the last five years—especially at the top-tier companies. What’s good to see is that the midsize companies and some of the smaller midsize companies are starting to understand the potential impact on their organizations for not having made the proper investments in the past. So we’re starting to see a real pickup in terms of both awareness and investments by those companies.

CIN: Where does e-discovery fit in the information governance picture? And how have the data breach and privacy issues and regulations like the GDPR altered the tableau?
KS: E-discovery has been a very large undertaking for companies around the world for many years now. Companies got themselves in shape and had decent information governance practices for e-discovery purposes. I’m not going to say great, but decent. Those efforts had been going on for a number of years, and they were being driven by e-discovery and the serial litigants or those that had a lot of litigation. If you didn’t have a lot of litigation, you didn’t necessarily care about information governance. To Gregg’s point about the midmarket and smaller companies coming up to speed, I think that’s a very fair statement. But when you start looking at the larger organizations, or even the ones that were in industries where they had a lot of litigation, they actually made a lot of effort around their information governance practices. What we found is that those companies, once the EU regulations were being updated and they realized that there was going to be another aspect to information governance, we were finding that they’ve now taken their traditional e-discovery reasons for doing information governance and shifted that over to privacy and data protection.  

CIN: The lawyers were asked what their largest personal challenge was. And they said keeping up with regulatory changes. Is this all about the new privacy regulations?
GG: I think it’s a combination of factors. We have a whole host of cybersecurity regulatory requirements. Many countries around the world have a national cybersecurity standard. Many have adopted the ISO 27001 as their standard. But here in the United States, because of the vastness of our marketplace and because of all the different industries and the litigious nature of our society, we have all these separate cybersecurity regulatory standards and risk management frameworks, such as HIPAA in health care and the payment card industry’s data security standard. In financial services you’ve got SEC guidance, FFIEC [Federal Financial Institutions Examination Council] guidance. You’ve got OCC [Office of the Comptroller of the Currency] guidance. We have, of course, the New York Department of Financial Services cybersecurity regulatory requirements. And with the regulatory agencies, you’ve got the National Institute for Standards and Technology, government contractors, defense contractors. And then you combine that with all of the unique requirements at the state level that you have popping up in data privacy from the East Coast to the West Coast—it’s just an overwhelming amount of regulatory requirements that companies are really struggling with trying to be compliant with and just be knowledgeable about.

CIN: And you didn’t even mention the 50 different state breach notification laws! Yeah, that’s quite a bit.
GG: Absolutely! It’s crazy. I was just in San Francisco last week with a client who operates all over the United States and all over the world, and they are literally going through a class action lawsuit in which they have to prepare a report that is going to discuss their information security program that they’ll have to share with the attorney generals of all 50 states, though each had different sets of requirements. 

CIN: It’s interesting that using new tech and tools is way down at No. 3 on that same list of personal challenges. And the overall numbers are also pretty darn low—only 17 percent rate new tech as a big challenge—which may suggest that lawyers are actually finally getting more comfortable with tech. Is that possible?
GG: [laughing] I wouldn’t extrapolate too much from that.

CIN: On that same topic, in the introduction to your survey report, you talked about the advent of “legal-tech hybrids”—individuals with skills in both fields. Was this something that came from the survey itself, or was it just an observation that you passed along?
KS: I think it’s more intuitive, in the sense that we know who companies have been hiring of late. Attorneys who have a legal technology background are more sought after than those who do not.  And it’s almost a given that whether you practice in-house or outside, you need to understand technology today. That comes with a little bit of a caveat. You still have the lawyers who want to just lawyer. But a lot of the lawyers that I personally deal with have an understanding of the technology. It may take some of them a little longer to get there, but they at least want to understand how technology impacts the law or the business implications that face their company or clients. And I think it’s because for years in e-discovery, lawyers needed to be able to understand what they were actually purchasing from e-discovery providers. And some individuals and companies got burned because they bought startup tools. And if you look not so much at the cybersecurity area, because there are a lot of well-accepted, tried-and-true cybersecurity tools out there, but particularly in the privacy world, you will find that there are companies only two or three years old. You don’t know if these companies are going to be around in five years. That’s part of the reason we mentioned that there is a demand now for the legal-tech hybrid.    

CIN: Another finding: 71 percent of the respondents said they plan to use tech to streamline legal operations. For large organizations, that number climbed to 91 percent. What’s going on there?
KS: For the legal team, they are back to re-evaluating. A number of years ago, there were early case assessment, data analytics, data visualization, technology-assisted review tools. If you think back to that, there were only certain tools in the market that could serve the purpose they purported to serve. Today you can add your forensic collection to your e-discovery tools. We do see companies increasing spend to bring more of these capabilities in-house, so they don’t have to hire forensic experts to go out and collect information all over the place. And they can funnel it into one type of repository. We’re also finding that, with the prevalence of cybersecurity and data breach laws and privacy laws, when you have a data breach, there is a lot of associated litigation. So the legal team is getting smarter about using machine learning in terms of how they are going to review and what will be produced if they do have a data breach. Because although you do have to notify individuals, you then have the follow-on litigation, or state AG investigations, or data protection authorities in the EU or some other country. What our clients are doing is saying, “OK, we have all of these e-discovery tools in-house.” And a lot of the respondents in the survey are saying, “We have these tools. What can we do with those to help support our ability to respond to the litigation or the follow-ons?” They’re trying to figure out how they can utilize these tools, enhance them, and improve their capabilities, and not have to rely on as many people, because there is a huge people shortage out there, and it is very difficult to find the talent in many of these areas. So they’re turning to technology and improved processes. 
GG: I would just add to that that the use of Big Data analytics is a powerful tool across all industries. And the offices of general counsel and independent law firms are all recognizing the vast amounts of information that they have and the importance of trying to use Big Data analytics to analyze their data and be able to then visualize trends and do more robust searches more rapidly.

CIN: Besides information governance, were there any other areas where you saw big changes as part of a trend?
KS: There was a big jump in disposing of data after e-discovery. It was a little surprising that last year no one was saying that they were worried about that as one of the most important factors, and this year 10 percent of them are saying that. Now I think with the cybersecurity and privacy laws out there, part of what you have to be able to do is show that you have a reason to keep this data. I think we’re going to continue to see an influx in that regard. It kind of makes sense, because we’re seeing a huge jump in requests for records management capabilities. Also, there seems to be more pressure on predicting the total cost of e-discovery earlier in a case. That went up from 7 percent to 19 percent.
GG: I was surprised at the turnover of replacing outside counsel with new firms. Seems like 55 percent of the lower-middle-size organizations are looking to change outside counsel. That seems significant, but there wasn’t enough data to be able to analyze what the trend was behind that.

CIN: What advice would you give general counsel, based on what you’ve learned from this survey?
GG: Most companies are underinvesting in cybersecurity. There’s always the exception—usually a company that’s gone through a major cyber breach, and the pendulum swings the other way, and it goes to a platinum cybersecurity solution with continuous diagnostics and monitoring. But generally speaking I don’t see a significant investment to keep up with the ever-evolving regulatory requirements and the changes in the cyber threat. From education to training to overall awareness to advising the audit committee, I really feel like most of the companies are well behind the power curve.
KS: It’s true. There is an underinvestment. I have seen significant changes over probably the last two years, though, in terms of companies starting to take this more seriously. Part of the challenge is that there are so many regulations now, and whether it’s cybersecurity or privacy—and a lot of countries and states distinguish between the two—the bottom line is: If you have a data breach, you’re going to be dealing with both, and then the litigation that follows the investigation. For these companies, the challenge is spending the time to determine “How can we do simple patching better than we used to? Are we sure that our monitoring tools are actually picking up on the threats that are out there? And are we staying up-to-date on that? Are we aware of the changing regulatory environment?” Because in Europe alone it continues to change, and it is difficult for companies to keep up with it. I think it’s a little bit of blocking and tackling, but also standing up capabilities that will allow you to enhance what you are already doing—without breaking the bank.
GG: Too often when I talk to chief compliance officers or general counsel or outside legal advisers, their focus is on a remedy of an immediate breach that’s occurred, or it’s about meeting regulatory compliance requirements. Very seldom are they really taking the time to do the independent assessments to determine the real level of security. They’re more focused on policies, plans and procedures than conducting actual vulnerability assessments, penetration testing, spear-phishing campaigns—really getting to the heart of the questions: “Are we secure, and what’s the best way to do that?” This whole discussion of compliance versus security to me is an item of concern with a lot of the general counsel.
Karen Schuler
Gregory Garrett