As we have discussed in a previous blog post about Sony, the consequences of a data breach reach beyond the initial loss of data. The latest company to experience this is Arby's.
This is a guest post from Peter Sloan, founding member of boutique law firm Information Governance Group, LLC. They help companies across the United States create, validate, and update records retention schedules; establish data security policies and breach response readiness; respond to data breaches; and implement legal hold processes. The orginal post can be found here.
Many of us make personal New Year's resolutions, but how many of us also do that with our businesses? It's 2017 and any business that has to comply with state, federal or international data privacy laws and regulations (which is virtually every business) should make this resolution: keep only what you need! In other words, for any data affected by privacy laws and regulations (i.e., any data that contains personally identifiable information, protected health information or other sensitive information), your company should only keep the data required as necessary for business purposes and to comply with applicable privacy laws and regulations. It's a simple concept, but it can only be achieved through diligent information management.
The Internet of Things (IoT) has exploded in the last few years. From thermostats to cars, thousands of items can now collect, store and transmit data. The question many general counsel are asking is how does this affect data privacy, information security and eDiscovery?
The cost (both financial and time) of eDiscovery is substantial. In fact, it's only getting more prohibitively expensive as data storage gets cheaper and easier to set up and companies have to comb through an ever-increasing amount of information.
Risk is a scary word for any organization and many will go to great lengths to avoid it. Especially when we are discussing information risk, which is chock full of serious consequences. The best way to mitigate information risk, however, is a solid information governance program.
According to sonaku.com, a compliance manager is a professional that keeps the legal and ethical integrity of a company intact through policy enforcement and program planning. He or she makes sure all departments of a business are complying with the rules and regulations the company upholds.
An article from In-house Access brings up some interesting points about discovery and the associated data privacy laws. In general, courts in the United States allow very broad discovery. There has been movement to limit the scope, especially when it comes to eDiscovery, but as of now large amounts of data are required for discovery. Additionally, because these rules focus on the parent companies, it includes all subsidiaries (even those outside the U.S.), which can result in a direct conflict with the data privacy laws in that country.
Cyber intrusions or hacks are generally seen as the domain of the IT department, however it is critical that the general counsel be involved in the creation and execution of the data governance risk and compliance strategy. In fact in a recent survey of 450 companies, 31% of respondents stated they rely on IT, while 21% said they rely on general counsel to be primarily responsible for compliance after a data breach.