Often discussions about data only focus on one aspect of it at a time, such as privacy, cybersecurity, retention, big data, etc. However, in order to truly protect data, organizations need to take a broader perspective. Data is an asset that has real value to every organization and its value tracks its many uses. In other words, its value varies with each user and purpose for which the data is used, and this must be considered in developing a management plan for enterprise data. We have a growing recognition that we are stewards of data, and as stewards, companies and their employees have significant responsibilities to secure that information not just for legal reasons but for business and public interest ones. Ultimately, a company’s policies, processes and technology must take into account those duties. What we see as the top 5 are as follows:
- Duty to keep data private. There are numerous laws requiring the privacy of data, such as GDPR, HIPAA and other U.S. federal and state privacy laws. In addition, ethical rules for professions (ex. attorney-client privilege) establish a duty to keep information confidential. Violations of any of these rules carries serious consequences.
- Duty to secure data. Companies often look at this as a technology issue. They have a duty to implement and keep systems intact in order to protect data. When breaches happen, they look for technology solutions. However, often the problem and solution involve people as much as technology. So, training and guarding against inadvertent as well as malicious data leaks are critical considerations.
- Duty to provide adequate work tools. IT departments have a responsibility to give employees the technology and access they need to do their job efficiently. They should vet software to ensure it meets the business’s needs and keeps data secure. However, those who work on the operational side must decide who needs access and what type of access.
- Duty to educate and train employees. Within an organization, almost everyone is a data creator (employees create emails, documents, phone calls, social media, etc.). Companies must establish clear rules regarding what information should and should not be created and how to retain, protect and preserve it. Employees in turn have a duty to abide by those rules.
- Duty to consumers. Companies often look at privacy and security in terms of their requirements as data custodians to keep information private. However, these rules are really about protecting the person whose data is being held. A more customer-centric view of privacy and security is important to help ensure companies aren’t just abiding by the exact letter of the law, but also the spirit of the law.
In certain circumstances, these duties can conflict. For example, although a company strives to protect its data from unauthorized access, it also needs ready access by authorized people for employees to do their jobs and ultimately for a company to run its business. There is no perfect solution but looking to service providers with both legal and technological expertise can provide valuable insights. In the eDiscovery realm, eDiscovery professionals from corporate teams, law firms and service providers have developed critical expertise to balance the many demands placed upon data stewards. Moreover, as to service providers, there are significant advantages to having a single eDiscovery service provider who understands the practice of law and possesses a deep knowledge of the software and workflows that handle electronically stored information.
Although there is an obvious cost to technology solutions, often they end up saving or even making money by reducing inefficiencies, improving business data analysis and reducing risk.
As companies’ obligations and risks increase, they will need to work with experts who can advise on how to manage their data in an efficient and legally responsible manner. To learn more about how CDS can help, contact us for a consultation.